Hi everybody, I've been playing for a while with a project called httpmail (http://www.sourceforge.net/projects/httpmail) that allows to access Hotmail as a WebDAV service, in the same fashion as Outlook Express. However, httpmail did not seem to work for me, telling it could not log in.
The Perl version of httpmail (which I'd been trying to use), uses LWP as an HTTP client. I've used a sniffer to check how Outlook and httpmail access the server, and found a general similarity in the initial steps. Both connect to services.msn.com, and then they're redirected (302) to a host at hotmail.com. There are redirected there several times to different URLs inside hotmail.com, asked to authenticate (401) and then redirected to passport.com. Now the problem, as I see it, is in httpmail's offering of authentication after the redirect, without receiving a 401 first. Since it doesn't receive the 401, it doesn't update the authentication realm name, and it stays "hotmail.com" failing the authentication. I think that this is really a bug in LWP, as it should not (in my opinion) offer authentication without receiving a 401, and in particular, having been redirected to another domain (which creates, in my opinion, a security risk, as an erroneous redirect could disclose the authentication details to a third-party server). I bring you the comparative dumps below. I changed my e-mail address to [EMAIL PROTECTED] in order to evade e-mail address harvesters used by spammers; I also deleted the hashes sent for authentication ------------------------ Outlook ------------------------ PROPFIND /digest.srf?_lang=EN&lc=1033&fs=1&ct=1018205133&tw=1296000&id=2&kv=0&ru=http %3a%2f%2flaw7%2eoe%2ehotmail%2ecom%2fcgi%2dbin%2fhmdata%2fmyaddr%40hotmail%2 ecom%3f&log=1 HTTP/1.1 Depth: 0 Content-Type: text/xml Brief: t User-Agent: Outlook-Express/5.5 (MSIE 5.5; Windows NT 5.0; TmstmpExt) Cookie: [EMAIL PROTECTED] Content-Length: 357 Connection: Keep-Alive Cache-Control: no-cache Host: loginnet.passport.com <?xml version="1.0"?> <D:propfind xmlns:D="DAV:" xmlns:h="http://schemas.microsoft.com/hotmail/"; xmlns:hm="urn:schemas:httpmail:"> <D:prop> <h:adbar/> <hm:contacts/> <hm:inbox/> <hm:outbox/> <hm:sendmsg/> <hm:sentitems/> <hm:deleteditems/> <hm:drafts/> <hm:msgfolderroot/> <h:maxpoll/> <h:sig/> </D:prop> </D:propfind> -------------------------- httpmail (Perl, version 0.3) -------------------------- PROPFIND /digest.srf?_lang=EN&lc=1033&fs=1&ct=1018182819&tw=1296000&id=2&kv=0&ru=http %3a%2f%2flaw7%2eoe%2ehotmail%2ecom%2fcgi%2dbin%2fhmdata%2fmyaddr%40hotmail%2 ecom%3f&log=1 HTTP/1.1 TE: deflate,gzip;q=0.3 Connection: TE, close Authorization: Digest username="[EMAIL PROTECTED]", realm="hotmail.com", qop="auth", algorithm="MD5", uri="/cgi-bin/hmdata", nonce="[deleted for obvious reasons]", nc="[also]", cnonce="[as-well]", response="[some odd hash]" Host: loginnet.passport.com User-Agent: Outlook-Express/5.5 (MSIE 5.0; Windows 98; TmstmpExt) Content-Type: text/xml Content-Length: 304 <?xml version="1.0"?> <D:propfind xmlns:D="DAV:" xmlns:h="http://schemas.microsoft.com/hotmail/"; xmlns:hm="urn:schemas:httpmail:"> <D:prop> <hm:contacts/> <hm:inbox/> <hm:outbox/> <hm:sendmsg/> <hm:sentitems/> <hm:deleteditems/> <hm:drafts/> <hm:msgfolderroot/> </D:prop> </D:propfind>
