Updated (Feb 22nd 2009) - the Washington Post updates that the hack exploited a problem with the default configuration of the authentication module used for authenticating remote administrators. As a result we categorized this incident under "insufficient authentication" and "misconfiguration".
Whenever we include a site inflicted with malware in WHID we need to explain why this one is worthy of WHID, after hundreds of thousands of web sites are planted with malware annually.
The Washington Post report about govtrip.com spreading malware is unique because this is an official US General Services Administration (GSA) web site and many US federal departments employees are required to reserve travel through it. In addition, the site is run by a major defense contractor, Northrop Grumman, who you would think would know better. How secure are their defense projects when it comes to application security?
