Search engine optimisation from Blogstorm

Create your own Engadget sub domains

by Patrick Altoft on June 30, 2007

Most of you probably read Engadget, the most popular blog on the web. This morning I found a couple of holes in the blog CMS that they use and decided to exploit them while most people in the US were on vacation for a few days.

The CMS allows wildcard sub domains and doesn’t validate the input in any way so you can set up your own pages on Engadget about anything you like. Type some stuff in the form below and have fun!

Sub Domain

Page Name

Feed readers might need to click here to see the form.

Here are some fun ones I made up:

We hate the iPhone

Matt Cutts vs Britney

Kevin Rose loves del.icio.us

The lesson behind this post is to always validate your inputs.

You can get our blog posts delivered for free by email every day - simply add your email address to the box below or alternatively grab the RSS feed.

Read some similar posts

Published in: Blogging delicious | digg | reddit | StumbleUpon | Google Bookmarks | Sphinn

{ 3 comments… read them below or add one }

1 andrew 30/06/2007 at 10:40 am

How is this injecting anything, you’re simply making use of a wildcard entry in the vhosts configuration. Those files don’t actually exist, it’s just the URL you’re entering. They’re not putting that information back out on the page, so you’ve got no chance of an XSS or injection style attack.

2 wendy 30/06/2007 at 11:18 am

people in the states are away Next weekend, not this. 4th of july and the 4 days following…

3 Patrick Altoft 30/06/2007 at 4:50 pm

Andrew, I’m not trying to do an XSS attack. Just having a bit of fun with the fact Engadget doesn’t validate their input.

My post makes no mention of injections or XSS.

The point is that if somebody else can come along and create an unlimited number of blank pages on your site you are at risk of some serious Google penalties.

Wendy, I know some people in the US are taking a long weekend this weekend as well but you are quite right.Smile

Leave a Comment (get an avatar from Gravatar first)

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>