[Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error.

• Previous message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:078 - Updated squid packages fix vulnerability"
• Next in thread: pretty vacant: "Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error."
• Maybe reply: pretty vacant: "Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 28 Apr 2005 20:31:50 -0700
To: <full-disclosure@lists.grok.org.uk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

My friend blshkv showed me that he get hotmail.com to crash by just
visiting the site! I used Paros Proxy to intercept the request and
replayed it using telnet, with the same result.

The request looks like this:

    GET http://www.hotmail.com/ HTTP/1.0
    User-Agent: Mozilla/4.78 (X11; Linux i686; U) Opera 7.54 [en]
Paros/3.2.0
    Host: www.hotmail.com
    Accept: text/html, application/xml;q=0.9,
application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-
xbitmap, */*;q=0.1
    Accept-Language: en;q=1.0,ru;q=0.9
    Accept-Charset: windows-1251, utf-8, utf-16, iso-8859-1;q=0.6,
*;q=0.1
    Pragma: no-cache
    Cache-Control: no-cache
    Proxy-Connection: close

and this is the response (been edited due to space):

    HTTP/1.1 500 Internal Server Error
    Date: Thu, 28 Apr 2005 09:59:35 GMT
    Server: Microsoft-IIS/6.0
    X-Powered-By: ASP.NET
    X-AspNet-Version: 1.1.4322
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Content-Length: 3026
    Via: 1.1 Application and Content Networking System Software
5.1.13
    Proxy-Connection: Close

Interesting, isn't it?

After futher investigation it seems like hotmail.com has a problem
with russian language settings. See below for the diff between an
500 Internal Server Error and 200 OK request:

    -Accept-Language: en;q=1.0,ru;q=0.9
    +Accept-Language: en

I guess Hotmail.com's system administrators missed a few hardening
steps, their developers forgot to have a default catch statement in
their code and the QA people missed both of these issues in the
UAT.
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkJxqiwACgkQYDBikGF9JABTnQCgmtAwln+y5/E3Wh+azhYsaufQnvkA
oIZ7M+sBtxRPttpkiUjOSa9EGpZy
=lrCT
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427

• text/plain attachment: snapshot1.jpg.sig

• Previous message: Mandriva Security Team: "[Full-disclosure] MDKSA-2005:078 - Updated squid packages fix vulnerability"
• Next in thread: pretty vacant: "Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error."
• Maybe reply: pretty vacant: "Re: [Full-disclosure] Hotmail.com doesn't like russians, returns 500 internal server error."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]