1 minute read

Recently, like many of you, I've had some trouble getting websites listed on the AOL owned “Open Directory Project” known as Dmoz.

So, looking back at a post written by Oatmeal which explains how to get 20 .gov links in 20 minutes I wondered if the same was possible for Dmoz…

After very little searching I soon discovered that the

main search function of Dmoz is vulnerable.

This means malicious users could easily place HTML code into the search form input box and manipulate the markup on the site (aka Cross Site Scripting or XSS).

Here’s a proof of concept showing how you would link to example.com with the anchor text as “Look, I made a link”:

http://www.dmoz.org/search?q=%3Ch1%3E%3Ca+href%3D%22http%3A%2F%2Fexample.com%22%3ELook%2C+I+made+a+link%3C%2Fa%3E%3C/h1%3E

View the compromised page (screenshot)

To make this affective, you would simply need to swap out the domain and the anchor text and (in theory) you would have to link to them from various other websites for them to eventually get indexed and start passing link juice for things like PageRank.

This is not the first time that Dmoz has been subject to such a flaw, as in 2007 they were subject to a similar XSS vulnerability in their blog search.

There are many well established ways Dmoz could fix this (aside from fixing their site code) on the server but they have chosen not to. I’m not sure why.

Is there any SEO value in these type of links? It’s uncertain.

Is there a security risk? Yes, definitely.

Dmoz is not the only site to ever become subject to an XSS exploit, twitter has been vulnerable plenty of times, but by golly they fixed it.

Will Dmoz pull their finger out or is he dead, jim?

Note: Dmoz Staff were unavailable for comment at time of publication (email address was unreachable).

Comments