| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4273EFA2.9030708@elvandar.org>
Date: Sat Apr 30 21:50:50 2005
From: remko at elvandar.org (Remko Lodder)
Subject: Hotmail.com doesn't like russians, returns
500 internal server error.
pretty vacant wrote:
> Uh, that has nothing to do with catching an exception. It's allowed by
> the CustomErrors setting in web.config.
>
> Hardly worth noting.. in fact, I don't even know why I'm bothering to
> respond... I suppose it's just to point out that you're an idiot.
>
(I also replied to pretty vacant, but i wasn't a member of the list
yet).
hi,
You seem very nice... But i think that if you would have been
smart you wouldn't have said this.
Did you ever consider that someone might tried to be good
and just missed the bat due lack of knowledge? That is not
being an idiot, that might be someone that needs some guidance
and then becomes a good or perhaps even a very good person who
can help us (the hackers all over the world).
Just stating that someone is stupid included in this reply
makes yourself a fool...
>
>
> On Apr 28, 2005, at 11:31 PM, <auto491351@...hmail.com>
> <auto491351@...hmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> My friend blshkv showed me that he get hotmail.com to crash by just
> visiting the site! I used Paros Proxy to intercept the request and
> replayed it using telnet, with the same result.
>
> The request looks like this:
>
>
> GET http://www.hotmail.com/ HTTP/1.0
> User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
> Paros/3.2.0
> Host: www.hotmail.com
> Accept: text/html, application/xml;q=0.9,
> application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
> xbitmap, */*;q=0.1
> Accept-Language: en;q=1.0,ru;q=0.9
> Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
> *;q=0.1
> Pragma: no-cache
> Cache-Control: no-cache
> Proxy-Connection: close
>
>
>
> and this is the response (been edited due to space):
>
>
> HTTP/1.1 500 Internal Server Error
> Date: Thu, 28 Apr 2005 09:59:35 GMT
> Server: Microsoft-IIS/6.0
> X-Powered-By: ASP.NET
> X-AspNet-Version: 1.1.4322
> Cache-Control: private
> Content-Type: text/html; charset=utf-8
> Content-Length: 3026
> Via: 1.1 Application and Content Networking System Software
> 5.1.13
> Proxy-Connection: Close
>
> Interesting, isn't it?
>
> After futher investigation it seems like hotmail.com has a problem
> with russian language settings. See below for the diff between an
> 500 Internal Server Error and 200 OK request:
>
>
> -Accept-Language: en;q=1.0,ru;q=0.9
> +Accept-Language: en
>
>
>
> I guess Hotmail.com's system administrators missed a few hardening
> steps, their developers forgot to have a default catch statement in
> their code and the QA people missed both of these issues in the
> UAT.
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
> oIZ7M+sBtxRPttpkiUjOSa9EGpZy
> =lrCT
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
Kind regards,
Remko Lodder ** remko@...andar.org
Reporter DSINET ** remko@...Net.org
Founder Tienervaders ** remko@...nervaders.org
FreeBSD Documentation Project ** remko@...eBSD.org
Powered by blists - more mailing lists