Full Disclosure: Re: Hotmail.com doesn't like russians, returns 500 internal server error.

[James Tucker <jftucker () gmail com>]

Thought I'd just call you both fools.

For two reasons:
1. Humerous Irony which seems to have been missed.
2. This is a spam thread, so I thought I would add to it. (Oh sorry,
does that fall under [1]?)
-SUBJECTIVE.

Thank you for some mild entertainment children, but would you be more
flamboyant and dramatic in future, it gets better 'ratings'. Maybe pop
in a few curse words and the like, oh and some leet speek for good
measure?

THE POINT (had to really): Remember, you cant climb up out the gutter
by digging down into the muck. (Maybe that's why I've been 'AFK' for
so long.)

On 4/30/05, Remko Lodder <remko () elvandar org> wrote:
> pretty vacant wrote:
> > Uh, that has nothing to do with catching an exception. It's allowed by
> > the CustomErrors setting in web.config.
> >
> > Hardly worth noting.. in fact, I don't even know why I'm bothering to
> > respond... I suppose it's just to point out that you're an idiot.
> (I also replied to pretty vacant, but i wasn't a member of the list
> yet).
>
> hi,
>
> You seem very nice... But i think that if you would have been
> smart you wouldn't have said this.
>
> Did you ever consider that someone might tried to be good
> and just missed the bat due lack of knowledge? That is not
> being an idiot, that might be someone that needs some guidance
> and then becomes a good or perhaps even a very good person who
> can help us (the hackers all over the world).
>
> Just stating that someone is stupid included in this reply
> makes yourself a fool...
>
> > On Apr 28, 2005, at 11:31 PM, <auto491351 () hushmail com>
> > <auto491351 () hushmail com> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > My friend blshkv showed me that he get hotmail.com to crash by just
> > visiting the site! I used Paros Proxy to intercept the request and
> > replayed it using telnet, with the same result.
> >
> > The request looks like this:
> >
> >
> >     GET http://www.hotmail.com/ HTTP/1.0
> >     User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
> > Paros/3.2.0
> >     Host: www.hotmail.com
> >     Accept: text/html, application/xml;q=0.9,
> > application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
> > xbitmap, */*;q=0.1
> >     Accept-Language: en;q=1.0,ru;q=0.9
> >     Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
> > *;q=0.1
> >     Pragma: no-cache
> >     Cache-Control: no-cache
> >     Proxy-Connection: close
> >
> >
> >
> > and this is the response (been edited due to space):
> >
> >
> >     HTTP/1.1 500 Internal Server Error
> >     Date: Thu, 28 Apr 2005 09:59:35 GMT
> >     Server: Microsoft-IIS/6.0
> >     X-Powered-By: ASP.NET
> >     X-AspNet-Version: 1.1.4322
> >     Cache-Control: private
> >     Content-Type: text/html; charset=utf-8
> >     Content-Length: 3026
> >     Via: 1.1 Application and Content Networking System Software
> > 5.1.13
> >     Proxy-Connection: Close
> >
> > Interesting, isn't it?
> >
> > After futher investigation it seems like hotmail.com has a problem
> > with russian language settings. See below for the diff between an
> > 500 Internal Server Error and 200 OK request:
> >
> >
> >     -Accept-Language: en;q=1.0,ru;q=0.9
> >     +Accept-Language: en
> >
> >
> >
> > I guess Hotmail.com's system administrators missed a few hardening
> > steps, their developers forgot to have a default catch statement in
> > their code and the QA people missed both of these issues in the
> > UAT.
> > -----BEGIN PGP SIGNATURE-----
> > Note: This signature can be verified at https://www.hushtools.com/verify
> > Version: Hush 2.4
> >
> > wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
> > oIZ7M+sBtxRPttpkiUjOSa9EGpZy
> > =lrCT
> > -----END PGP SIGNATURE-----
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> --
> Kind regards,
>
>       Remko Lodder  ** remko () elvandar org
>       Reporter DSINET  **  remko () DSINet org
>       Founder Tienervaders  ** remko () tienervaders org
>       FreeBSD Documentation Project  ** remko () FreeBSD org
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/