Discussion:
Hotmail.com doesn't like russians, returns 500 internal server error.
(too old to reply)
pretty vacant
2005-04-30 20:37:09 UTC
Permalink
Uh, that has nothing to do with catching an exception. It's allowed by
the CustomErrors setting in web.config.

Hardly worth noting.. in fact, I don't even know why I'm bothering to
respond... I suppose it's just to point out that you're an idiot.



On Apr 28, 2005, at 11:31 PM, <***@hushmail.com>
<***@hushmail.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My friend blshkv showed me that he get hotmail.com to crash by just
visiting the site! I used Paros Proxy to intercept the request and
replayed it using telnet, with the same result.

The request looks like this:


GET http://www.hotmail.com/ HTTP/1.0
User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
Paros/3.2.0
Host: www.hotmail.com
Accept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
xbitmap, */*;q=0.1
Accept-Language: en;q=1.0,ru;q=0.9
Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
*;q=0.1
Pragma: no-cache
Cache-Control: no-cache
Proxy-Connection: close



and this is the response (been edited due to space):


HTTP/1.1 500 Internal Server Error
Date: Thu, 28 Apr 2005 09:59:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026
Via: 1.1 Application and Content Networking System Software
5.1.13
Proxy-Connection: Close

Interesting, isn't it?

After futher investigation it seems like hotmail.com has a problem
with russian language settings. See below for the diff between an
500 Internal Server Error and 200 OK request:


-Accept-Language: en;q=1.0,ru;q=0.9
+Accept-Language: en



I guess Hotmail.com's system administrators missed a few hardening
steps, their developers forgot to have a default catch statement in
their code and the QA people missed both of these issues in the
UAT.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
oIZ7M+sBtxRPttpkiUjOSa9EGpZy
=lrCT
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Remko Lodder
2005-04-30 20:50:42 UTC
Permalink
Post by pretty vacant
Uh, that has nothing to do with catching an exception. It's allowed by
the CustomErrors setting in web.config.
Hardly worth noting.. in fact, I don't even know why I'm bothering to
respond... I suppose it's just to point out that you're an idiot.
(I also replied to pretty vacant, but i wasn't a member of the list
yet).

hi,

You seem very nice... But i think that if you would have been
smart you wouldn't have said this.

Did you ever consider that someone might tried to be good
and just missed the bat due lack of knowledge? That is not
being an idiot, that might be someone that needs some guidance
and then becomes a good or perhaps even a very good person who
can help us (the hackers all over the world).

Just stating that someone is stupid included in this reply
makes yourself a fool...
Post by pretty vacant
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My friend blshkv showed me that he get hotmail.com to crash by just
visiting the site! I used Paros Proxy to intercept the request and
replayed it using telnet, with the same result.
GET http://www.hotmail.com/ HTTP/1.0
User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
Paros/3.2.0
Host: www.hotmail.com
Accept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
xbitmap, */*;q=0.1
Accept-Language: en;q=1.0,ru;q=0.9
Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
*;q=0.1
Pragma: no-cache
Cache-Control: no-cache
Proxy-Connection: close
HTTP/1.1 500 Internal Server Error
Date: Thu, 28 Apr 2005 09:59:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026
Via: 1.1 Application and Content Networking System Software
5.1.13
Proxy-Connection: Close
Interesting, isn't it?
After futher investigation it seems like hotmail.com has a problem
with russian language settings. See below for the diff between an
-Accept-Language: en;q=1.0,ru;q=0.9
+Accept-Language: en
I guess Hotmail.com's system administrators missed a few hardening
steps, their developers forgot to have a default catch statement in
their code and the QA people missed both of these issues in the
UAT.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
oIZ7M+sBtxRPttpkiUjOSa9EGpZy
=lrCT
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Kind regards,

Remko Lodder ** ***@elvandar.org
Reporter DSINET ** ***@DSINet.org
Founder Tienervaders ** ***@tienervaders.org
FreeBSD Documentation Project ** ***@FreeBSD.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
James Tucker
2005-05-01 18:33:31 UTC
Permalink
Thought I'd just call you both fools.

For two reasons:
1. Humerous Irony which seems to have been missed.
2. This is a spam thread, so I thought I would add to it. (Oh sorry,
does that fall under [1]?)
-SUBJECTIVE.

Thank you for some mild entertainment children, but would you be more
flamboyant and dramatic in future, it gets better 'ratings'. Maybe pop
in a few curse words and the like, oh and some leet speek for good
measure?

THE POINT (had to really): Remember, you cant climb up out the gutter
by digging down into the muck. (Maybe that's why I've been 'AFK' for
so long.)
Post by Remko Lodder
Post by pretty vacant
Uh, that has nothing to do with catching an exception. It's allowed by
the CustomErrors setting in web.config.
Hardly worth noting.. in fact, I don't even know why I'm bothering to
respond... I suppose it's just to point out that you're an idiot.
(I also replied to pretty vacant, but i wasn't a member of the list
yet).
hi,
You seem very nice... But i think that if you would have been
smart you wouldn't have said this.
Did you ever consider that someone might tried to be good
and just missed the bat due lack of knowledge? That is not
being an idiot, that might be someone that needs some guidance
and then becomes a good or perhaps even a very good person who
can help us (the hackers all over the world).
Just stating that someone is stupid included in this reply
makes yourself a fool...
Post by pretty vacant
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
My friend blshkv showed me that he get hotmail.com to crash by just
visiting the site! I used Paros Proxy to intercept the request and
replayed it using telnet, with the same result.
GET http://www.hotmail.com/ HTTP/1.0
User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
Paros/3.2.0
Host: www.hotmail.com
Accept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
xbitmap, */*;q=0.1
Accept-Language: en;q=1.0,ru;q=0.9
Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
*;q=0.1
Pragma: no-cache
Cache-Control: no-cache
Proxy-Connection: close
HTTP/1.1 500 Internal Server Error
Date: Thu, 28 Apr 2005 09:59:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026
Via: 1.1 Application and Content Networking System Software
5.1.13
Proxy-Connection: Close
Interesting, isn't it?
After futher investigation it seems like hotmail.com has a problem
with russian language settings. See below for the diff between an
-Accept-Language: en;q=1.0,ru;q=0.9
+Accept-Language: en
I guess Hotmail.com's system administrators missed a few hardening
steps, their developers forgot to have a default catch statement in
their code and the QA people missed both of these issues in the
UAT.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4
wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
oIZ7M+sBtxRPttpkiUjOSa9EGpZy
=lrCT
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Kind regards,
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Loading...