Create your own Engadget sub domains
Most of you probably read Engadget, the most popular blog on the web. This morning I found a couple of holes in the blog CMS that they use and decided to exploit them while most people in the US were on vacation for a few days.
The CMS allows wildcard sub domains and doesn’t validate the input in any way so you can set up your own pages on Engadget about anything you like. Type some stuff in the form below and have fun!
Feed readers might need to click here to see the form.
Here are some fun ones I made up:
The lesson behind this post is to always validate your inputs.
Categories: Blogging
Bookmark: 
| 
| 
| 
| 
| 
Read some similar posts
Gizmodo vs Engadget: Gizmodo needs SEO
The Times vs Engadget who sends more traffic
Why you need stunning images on your blog posts
5 Reasons You Should Link to Me Today
Get more links by being a news blogger
How is this injecting anything, you’re simply making use of a wildcard entry in the vhosts configuration. Those files don’t actually exist, it’s just the URL you’re entering. They’re not putting that information back out on the page, so you’ve got no chance of an XSS or injection style attack.
andrew June 30, 2007 10:40 am | Reply
people in the states are away Next weekend, not this. 4th of july and the 4 days following…
wendy June 30, 2007 11:18 am | Reply
Andrew, I’m not trying to do an XSS attack. Just having a bit of fun with the fact Engadget doesn’t validate their input.
My post makes no mention of injections or XSS.
The point is that if somebody else can come along and create an unlimited number of blank pages on your site you are at risk of some serious Google penalties.
Wendy, I know some people in the US are taking a long weekend this weekend as well but you are quite right.
Patrick Altoft June 30, 2007 4:50 pm | Reply