You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by tser <te...@worldonline.nl> on 1999/08/30 21:26:41 UTC

(hotmail hacked) (hotmails runs apache)

Hi,

Does anybody know the tech details in the hotmail hack ?
What i could make up from all the blabla floating around was 
that it was a programing error on the cgi interface.

Afterall they used apache there, and not iis,
so there web server should have been safe.

		- Reinder.

Re: (hotmail hacked) (hotmails runs apache)

Posted by jw...@cp.net.

tser wrote:
> 
> Hi,
> 
> Does anybody know the tech details in the hotmail hack ?
> What i could make up from all the blabla floating around was
> that it was a programing error on the cgi interface.
> 
> Afterall they used apache there, and not iis,
> so there web server should have been safe.

It isn't a stack smashing attack to get a root shell or anything.  It is
bone-headed programming on the part of their application writers.  They
implemented a new "Microsoft Passport" system that allows you to access
multiple Microsoft services with a single login.  They wrote the system
such that passing the fields "user" and "pass" in the query string
allows you to access user's mailbox even if pass is not the correct
password.

At this time it looks like they have taken their service offline, but
you can see how simple the attack is at http://lagparty.org/hotmail

Cheers,
Jeffrey
-- 
Jeffrey W. Baker * jwb@cp.net
Critical Path, Inc. * we handle the world's email * www.cp.net
415.808.8807