I’ve been attaching some updates to my United Nations VS SQL Injections article, but this story deserves another clarification post, now.
A few hours ago I’ve been contacted by Ronda Hauben (Telepolis/OMNI), asking if I had any news about the vulnerability and how the agency was handling it.
I answered her just like I answered the inquiry I received from Anne Broache (CNET/News.com) yesterday:
I can confirm the vulnerability is still there.
The U.N. staff just deployed a cosmetic patch to hide the bug from the most obvious tests, but this measure cannot prevent an attack.
I reported this problem to U.N. on Monday morning (8.06 AM UTC), offering cooperation to evaluate and fix it under the provisions of the RFPolicy.
They did not come back to communicate with me yet, but on the other hand the aforementioned policy grants them 5 days to do it.
As I said the site is still vulnerable, but I won’t disclose any other technical detail until this “grace time” is expired.
Shortly after I sent Ronda my reply (around 22.00 UTC), I was about to hit my bed when I decided to check again…
To my surprise, all my U.N. bookmarks landed on 404 (not found) pages, and when I tried the www.un.org home page itself I was welcomed by this message: