There is a relatively simple exploit going on in my PHP Link Directory, phpLD, script that has gotten significantly more popular in the last two months. I don’t intend to open the floodgates to shady link builders, but hope to bring attention to the script creators to find a way to remedy the problem within the application.
I have been running the script on My Directory Live for about two and a half years and I have recently given it more attention since the Page Rank and Alexa Ranks have increased substantially. Right not it sits at a PR4 and an Alexa of 41k, not bad at all for a link directory.
With the volume of links coming in, I try to look at each individual one, but it is difficult sometimes to maintain my own personal guidelines. There is a mass approve function in the admin. area which allows you to select all links and approve. However, since sometimes due to how the reciprocal link is displayed on the admin. page, it’s difficult to see the full linking URL unless you mouse over it or sort all unapproved links to the top and check each one manually.
The exploit I have been seeing more frequently is websites using the URL of the web directory as a value in a $_GET variable in the link. The page they link to simply takes the value of the variable and makes a single anchor tag on the page. When the phpLD script look at the page it appears fine and verifies the link as valid and moves on.
Here is what the link and result look like:
I am not familiar with the coding in the directory or the Smarty template engine, so I came up with a solution outside of the script. I use a scheduled task with ColdFusion on another site to get at the database and look at the recpr_url, ipaddress, and recpr_url fields in the pld_link table querying on if the reciprocal link URL contains my directory’s URL. Then, for the links that are returned on the query, I delete them from the table and insert the IP and domain into the pld_banlist table.
1 2 3 | SELECT PLD_LINK.ID, PLD_LINK.URL, PLD_LINK.RECPR_URL FROM PLD_LINK WHERE PLD_LINK.RECPR_URL LIKE '%www.mydirectorylive.com%' |
If you run a link directory script, you may want to look at your tables and see how many links like this are in there. Also, if you know how to mod the directory to check for this within the application, it would be great to see it in the next directory version.
March 30th, 2009 at 4:04 pm
[...] A PHP Link Directory Reciprocal Link Exploit Revealed, Jason Bartholme [...]
May 9th, 2009 at 9:39 am
Hi,
PR4 for a phpld directory ? not bad.
It is now a difficult time for directory. Google pays the last time not too much attention to the link directories…
Congratulation !