lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.BSO.4.44.0504301631310.29068-100000@eurocompton.net>
Date: Sat Apr 30 21:37:10 2005
From: optimist at eurocompton.net (pretty vacant)
Subject: Hotmail.com doesn't like russians, returns
	500 internal server error.

Uh, that has nothing to do with catching an exception. It's allowed by
the CustomErrors setting in web.config.

Hardly worth noting.. in fact, I don't even know why I'm bothering to
respond... I suppose it's just to point out that you're an idiot.



On Apr 28, 2005, at 11:31 PM, <auto491351@...hmail.com>
<auto491351@...hmail.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My friend blshkv showed me that he get hotmail.com to crash by just
visiting the site! I used Paros Proxy to intercept the request and
replayed it using telnet, with the same result.

The request looks like this:


    GET http://www.hotmail.com/ HTTP/1.0
    User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
Paros/3.2.0
    Host: www.hotmail.com
    Accept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
xbitmap, */*;q=0.1
    Accept-Language: en;q=1.0,ru;q=0.9
    Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
*;q=0.1
    Pragma: no-cache
    Cache-Control: no-cache
    Proxy-Connection: close



and this is the response (been edited due to space):


    HTTP/1.1 500 Internal Server Error
    Date: Thu, 28 Apr 2005 09:59:35 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 1.1.4322
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Content-Length: 3026
    Via: 1.1 Application and Content Networking System Software
5.1.13
    Proxy-Connection: Close

Interesting, isn't it?

After futher investigation it seems like hotmail.com has a problem
with russian language settings. See below for the diff between an
500 Internal Server Error and 200 OK request:


    -Accept-Language: en;q=1.0,ru;q=0.9
    +Accept-Language: en



I guess Hotmail.com's system administrators missed a few hardening
steps, their developers forgot to have a default catch statement in
their code and the QA people missed both of these issues in the
UAT.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
oIZ7M+sBtxRPttpkiUjOSa9EGpZy
=lrCT
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ