lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20050501192720.GB5241@sivokote.iziade.m$>
Date: Sun May  1 20:27:14 2005
From: guninski at guninski.com (Georgi Guninski)
Subject: Hotmail.com doesn't like russians,
	returns 500 internal server error.

On Thu, Apr 28, 2005 at 08:31:50PM -0700, auto491351@...hmail.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> My friend blshkv showed me that he get hotmail.com to crash by just
> visiting the site! I used Paros Proxy to intercept the request and
> replayed it using telnet, with the same result.
> 
>

i can reproduce it:

fuck@...l:~$ cat ./fsckbll.pl 
#!/usr/bin/perl -w


use IO::Socket;
my $host=$ARGV[0] || "www.hotmail.com";
my $port=$ARGV[1] || 80;


my $sock=IO::Socket::INET->new(Proto => 'tcp',
        PeerAddr => $host,PeerPort =>$port) || die("socket");

print "Connected to ${host}:${port}\n";
my $first="GET / HTTP/1.0\r\nAccept-Language: en;q=1.0,ru;q=0.9\r\n\r\n";
print $sock $first;

while(<$sock>) {print $_;}


fuck@...l:~$ ./fsckbll.pl www.hotmail.com 80
Connected to www.hotmail.com:80
HTTP/1.1 500 Internal Server Error
Connection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026

<html>
    <head>
        <title>Runtime Error</title>
        <style>
...snip...
            <b> Description: </b>An application error occurred on the server.
The current custom error settings for this application prevent the details of
the application error from being viewed remotely (for security reasons). It
could, h
owever, be viewed by browsers running on the local server machine.



 
> 
> I guess Hotmail.com's system administrators missed a few hardening
> steps, their developers forgot to have a default catch statement in
> their code and the QA people missed both of these issues in the
> UAT.

i guess hotmail missed the train.

-- 
where do you want bill gates to go today?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ