Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Hotmail.com doesn't like russians, returns 500 internal server error.
From: Georgi Guninski <guninski () guninski com>
Date: Sun, 1 May 2005 22:27:20 +0300

On Thu, Apr 28, 2005 at 08:31:50PM -0700, auto491351 () hushmail com wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My friend blshkv showed me that he get hotmail.com to crash by just
visiting the site! I used Paros Proxy to intercept the request and
replayed it using telnet, with the same result.



i can reproduce it:

fuck () bill:~$ cat ./fsckbll.pl 
#!/usr/bin/perl -w


use IO::Socket;
my $host=$ARGV[0] || "www.hotmail.com";
my $port=$ARGV[1] || 80;


my $sock=IO::Socket::INET->new(Proto => 'tcp',
        PeerAddr => $host,PeerPort =>$port) || die("socket");

print "Connected to ${host}:${port}\n";
my $first="GET / HTTP/1.0\r\nAccept-Language: en;q=1.0,ru;q=0.9\r\n\r\n";
print $sock $first;

while(<$sock>) {print $_;}


fuck () bill:~$ ./fsckbll.pl www.hotmail.com 80
Connected to www.hotmail.com:80
HTTP/1.1 500 Internal Server Error
Connection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026

<html>
    <head>
        <title>Runtime Error</title>
        <style>
...snip...
            <b> Description: </b>An application error occurred on the server.
The current custom error settings for this application prevent the details of
the application error from being viewed remotely (for security reasons). It
could, h
owever, be viewed by browsers running on the local server machine.



 

I guess Hotmail.com's system administrators missed a few hardening
steps, their developers forgot to have a default catch statement in
their code and the QA people missed both of these issues in the
UAT.

i guess hotmail missed the train.

-- 
where do you want bill gates to go today?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault