Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Hotmail.com doesn't like russians, returns 500 internal server error.
From: James Tucker <jftucker () gmail com>
Date: Sun, 1 May 2005 19:33:31 +0100

Thought I'd just call you both fools.

For two reasons:
1. Humerous Irony which seems to have been missed.
2. This is a spam thread, so I thought I would add to it. (Oh sorry,
does that fall under [1]?)
-SUBJECTIVE.

Thank you for some mild entertainment children, but would you be more
flamboyant and dramatic in future, it gets better 'ratings'. Maybe pop
in a few curse words and the like, oh and some leet speek for good
measure?

THE POINT (had to really): Remember, you cant climb up out the gutter
by digging down into the muck. (Maybe that's why I've been 'AFK' for
so long.)

On 4/30/05, Remko Lodder <remko () elvandar org> wrote:
pretty vacant wrote:
Uh, that has nothing to do with catching an exception. It's allowed by
the CustomErrors setting in web.config.

Hardly worth noting.. in fact, I don't even know why I'm bothering to
respond... I suppose it's just to point out that you're an idiot.


(I also replied to pretty vacant, but i wasn't a member of the list
yet).

hi,

You seem very nice... But i think that if you would have been
smart you wouldn't have said this.

Did you ever consider that someone might tried to be good
and just missed the bat due lack of knowledge? That is not
being an idiot, that might be someone that needs some guidance
and then becomes a good or perhaps even a very good person who
can help us (the hackers all over the world).

Just stating that someone is stupid included in this reply
makes yourself a fool...



On Apr 28, 2005, at 11:31 PM, <auto491351 () hushmail com>
<auto491351 () hushmail com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My friend blshkv showed me that he get hotmail.com to crash by just
visiting the site! I used Paros Proxy to intercept the request and
replayed it using telnet, with the same result.

The request looks like this:


    GET http://www.hotmail.com/ HTTP/1.0
    User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
Paros/3.2.0
    Host: www.hotmail.com
    Accept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
xbitmap, */*;q=0.1
    Accept-Language: en;q=1.0,ru;q=0.9
    Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
*;q=0.1
    Pragma: no-cache
    Cache-Control: no-cache
    Proxy-Connection: close



and this is the response (been edited due to space):


    HTTP/1.1 500 Internal Server Error
    Date: Thu, 28 Apr 2005 09:59:35 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 1.1.4322
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Content-Length: 3026
    Via: 1.1 Application and Content Networking System Software
5.1.13
    Proxy-Connection: Close

Interesting, isn't it?

After futher investigation it seems like hotmail.com has a problem
with russian language settings. See below for the diff between an
500 Internal Server Error and 200 OK request:


    -Accept-Language: en;q=1.0,ru;q=0.9
    +Accept-Language: en



I guess Hotmail.com's system administrators missed a few hardening
steps, their developers forgot to have a default catch statement in
their code and the QA people missed both of these issues in the
UAT.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
oIZ7M+sBtxRPttpkiUjOSa9EGpZy
=lrCT
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

--
Kind regards,

      Remko Lodder  ** remko () elvandar org
      Reporter DSINET  **  remko () DSINet org
      Founder Tienervaders  ** remko () tienervaders org
      FreeBSD Documentation Project  ** remko () FreeBSD org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]