On Monday, March 11, 2013 at 6:27 p.m., AIT staff disabled the ITS Alerts website to prevent further exposure of a security vulnerability discovered earlier that day. In its place, a static placeholder page was added to give status information as to the progress of service restoration.
By 5:10pm, Tuesday, March 12, the rss files had been restored.
The security vulnerability was a form of SQL injection. While a previous attempt at defeating SQL injection of end-client inputs had been installed, it was deemed insufficient against modern methods, and the site was taken down while a more suitable correction could be installed.
Analysis revealed that while a remote system made an attempt to verify the vulnerability, no data had been disclosed; any data that would have been disclosed was either public information, or otherwise not sensitive. Further, the SQL injection vector did not have permission to modify any data due to least privilege policy.
When the service is restored, all original functionality and data will be intact, except for, of course, the vulnerability.
Please view the ITS Alerts site for updates as they become available.
Addendum (2013/Mar/13 1:07 p.m.): alert-2633 was created as the permanent alert message describing this service outage.