How Plone Websites are being Used to Spam Blogs

There’s an interesting, destructive little exploit being used to spam and doubless many other blogs at the moment. It took a small amount of investigation but was fairly easy to work out, and rather than sit on the info and hope it will go away, I’ll show you how it’s done, so that Plone might work to fix this problem. At least they could alert their users to the risks.

How it Works

1. Find sites built with Plone.

2. Join those sites, and create a page like this one. Notice that it redirects to

You can make it do that by putting code like this in the body:

Why It Works

What happens is, Google follows the link from your spam on sites like this one but does not redirect as Googlebot doesn’t follow Javascript redirects. As you’ve chosen Plone sites with good reputation and PageRank, they rank for the terms you use in your link text, and unsuspecting Google users click the linksthey find in Search results, and are redirected to your scummy pharma affiliate link.

No need for a real website of your own, this is Parasite SEO kids.

Ordinarily I’d not waste time with it, but if it starts affecting my sites, i get kind of interested in seeing it stop you know?

powered by performancing firefox

5 thoughts on “How Plone Websites are being Used to Spam Blogs

  1. Hi – Alexander Limi, co-founder of Plone here.

    This is an old, old vulnerability that only exists in the Plone 2.0.x series.

    It was fixed over a year ago, and the site in question is running a version of Plone that is between 18 and 24 months old as of August 2006.

    Not much we can do about people that don’t update their sites and stay current on security, unfortunately. If you try your JS redirection trick on any current Plone version (2.1, 2.5), you’ll see that it doesn’t work.

    Plone filters all HTML aggressively out of the box, and you can’t put in content that does malicious things like this anymore.

    If you have any other questions, feel free to contact me or ask here. (I’m new to Performancing, so not sure if I get comment notifies

    Best regards,

    Alexander Limi
    Plone Foundation

  2. So they are posting spammy links here in performancing pushing people through a plone site redirect to the final destination advertiser site or something.

    Where does the spam come in though?

  3. It only affects this site when the person building the phoney pages that redirect users on plone sites posts here, linking to the plone page that redirects.

    The plone page by itself is little use. You need to let google know about it and rank it by feeding it some links — and that’s when we get spammed here.

  4. Hi Nick,
    I almost follow you, but I think I’m missing something.

    What exactly is the problem that is hitting Performancing?

    Please correct me where I’m wrong as I attempt to restate the situation.
    1. A spammy website exists and sets up a affilliate trash link
    2. The trash link redirects the user to the affilliate ad instead of taking the user where they think they are going, which is performancing?
    3. Or the link bounces them through the affilliate destination and then redirects to Performancing?
    4. Uh, never mind my attempt.

    I don’t get it, how is this impacting Performancing again?

Comments are closed.