By 7 years ago in Coding Design SEO

XSS Exploit on Half a Million 123 Reg Parked Domains

UK registrar 123-reg.co.uk has had a fair few customer relations issues in the past. Today I was digging into an issue for a client site and found some interesting things related to the way 123 Reg handles parked pages.

The problem was that the clients site didn’t open when you missed the www out of the domain. For example visiting this link was OK but this one takes you to a parked page (this site isn’t my client, just an example).

A quick check on how many sites 123 Reg has parked and indexed in Google reveals about half a million so there are plenty of trusted domains to have fun with.

123 Reg has left a nice XSS hole in their parked pages allowing any users to create an unlimited number of links on spam sites like this one and even better this one.

Basically every single one of the half million domains parked with 123 Reg can be injected with links to whatever sites a spammer wants.

123 Reg XSS

By Patrick Altoft. at 10:47AM on Wednesday, 05 Sep 2007

Patrick is the Director of Strategy at Branded3 and has spent the last 11 years working on the SEO strategies of some of the UK's largest brands. Patrick’s SEO knowledge and experience is highly regarded by many, and he’s regularly invited to speak at the world’s biggest search conferences and events. Follow Patrick Altoft on Twitter.

comments

  • http://skitx.com skitX

    Someone needs to automate this ;-)

  • AwayInAManger

    Fixed.

  • http://blogsformoney.com/ Danny @ Blogs For Money

    lol @ using Matt Cutts domain ;-)

  • http://www.ladadadada.net/blog/2007/10/13/so_many_servers_have_already_been_hacked Dave

    Never mind, McAfee ScanAlert (HackerSafe) reckon that XSS vulnerabilities are not dangerous so there’s no need to fail a site if it has XSS.