[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error.

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error.
From: pretty vacant <optimist@xxxxxxxxxxxxxxx>
Date: Sat, 30 Apr 2005 16:37:09 -0400 (EDT)

Uh, that has nothing to do with catching an exception. It's allowed by
the CustomErrors setting in web.config.

Hardly worth noting.. in fact, I don't even know why I'm bothering to
respond... I suppose it's just to point out that you're an idiot.



On Apr 28, 2005, at 11:31 PM, <auto491351@xxxxxxxxxxxx>
<auto491351@xxxxxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My friend blshkv showed me that he get hotmail.com to crash by just
visiting the site! I used Paros Proxy to intercept the request and
replayed it using telnet, with the same result.

The request looks like this:


    GET http://www.hotmail.com/ HTTP/1.0
    User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
Paros/3.2.0
    Host: www.hotmail.com
    Accept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
xbitmap, */*;q=0.1
    Accept-Language: en;q=1.0,ru;q=0.9
    Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
*;q=0.1
    Pragma: no-cache
    Cache-Control: no-cache
    Proxy-Connection: close



and this is the response (been edited due to space):


    HTTP/1.1 500 Internal Server Error
    Date: Thu, 28 Apr 2005 09:59:35 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 1.1.4322
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Content-Length: 3026
    Via: 1.1 Application and Content Networking System Software
5.1.13
    Proxy-Connection: Close

Interesting, isn't it?

After futher investigation it seems like hotmail.com has a problem
with russian language settings. See below for the diff between an
500 Internal Server Error and 200 OK request:


    -Accept-Language: en;q=1.0,ru;q=0.9
    +Accept-Language: en



I guess Hotmail.com's system administrators missed a few hardening
steps, their developers forgot to have a default catch statement in
their code and the QA people missed both of these issues in the
UAT.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
oIZ7M+sBtxRPttpkiUjOSa9EGpZy
=lrCT
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error.
  - From: Remko Lodder

Prev by Date: [Full-disclosure] Trend compensates Japanese customers over the sig flap
Next by Date: [Full-disclosure] DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities'
Previous by thread: [Full-disclosure] Trend compensates Japanese customers over the sig flap
Next by thread: Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error.
Index(es):
- Date
- Thread