Bugtraq mailing list archives
vqServer DoS
From: "Dr. S. G. Shering" <s.shering () VQSOFT COM>
Date: Sun, 17 Sep 2000 21:26:55 +0100
In article <200008270354.UAA10952 () user4 hushmail com>, auto45040 () HUSHMAIL COM wrote:
DHC Advisory Advisory for vqServer 1.4.49 vqServer is made by vqSoft. Site: http://www.vqsoft.com by nemesystm of the DHC
When sending vqServer version 1.4.49 a malformed URL request it will crash the service. This has been verified to work on the Windows version, but it probably is in the linux/unix version and prior versions too.
I can't reproduce this problem, either using the PERL script you provide or by using other methods to generate unusual URLs or HTTP requests, including URLs and HTTP requests that contain more than 2^32 bytes. I've also reviewed the vqServer code that retrieves and parses URLs. The code contains a mechanism that insulates the server from attacks such as the one you describe. vqServer is a Java program, so there's automatic built-in protection against buffer overruns. If an overrun occurs, the JVM traps it, the connection is terminated and the memory is recovered. It's possible that you've managed to produce a buffer overrun type problem in some other component of your test system, such as a proxy server or firewall, and are misinterpreting this as a vqServer problem. If you do find a genuine, reproducible problem in vqServer, please report it to me directly by email. We fix most bugs within 48 hours and post updates on the vqServer web site as soon as they are available. However, it might take us a while to find bug reports posted to newsgroups. Anonymous or semi-anonymous newsgroup postings which are misleading on incorrect don't help anyone. Finally, because vqServer is a Java program, the same version runs on all platforms. And version 1.9.49 is later or higher than version 1.9.47. Steve Shering vqSoft
Current thread:
- vqServer DoS Dr. S. G. Shering (Sep 17)