XSS Exploit on Half a Million 123 Reg Parked Domains
UK registrar 123-reg.co.uk has had a fair few customer relations issues in the past. Today I was digging into an issue for a client site and found some interesting things related to the way 123 Reg handles parked pages.
The problem was that the clients site didn’t open when you missed the www out of the domain. For example visiting this link was OK but this one takes you to a parked page (this site isn’t my client, just an example).
A quick check on how many sites 123 Reg has parked and indexed in Google reveals about half a million so there are plenty of trusted domains to have fun with.
123 Reg has left a nice XSS hole in their parked pages allowing any users to create an unlimited number of links on spam sites like this one and even better this one.
Basically every single one of the half million domains parked with 123 Reg can be injected with links to whatever sites a spammer wants.
Post category: Coding, Design, Search Engine Optimisation Tweet
Patrick Altoft is Director of Search at Branded3, a Leeds SEO & Digital Agency specialising in SEO, Web Design, Development & Social Media.
Comments
Read the 4 comments below, or add your own!
Someone needs to automate this
Fixed.
lol @ using Matt Cutts domain
Never mind, McAfee ScanAlert (HackerSafe) reckon that XSS vulnerabilities are not dangerous so there’s no need to fail a site if it has XSS.