vqServer DoS

["Dr. S. G. Shering" <s.shering () VQSOFT COM>]

In article <200008270354.UAA10952 () user4 hushmail com>,
  auto45040 () HUSHMAIL COM wrote:
> DHC Advisory
> Advisory for vqServer 1.4.49
> vqServer is made by vqSoft. Site: http://www.vqsoft.com
> by nemesystm of the DHC

> When sending vqServer version 1.4.49 a malformed URL request it will crash
> the service. This has been verified to work on the Windows version, but
> it probably is in the linux/unix version and prior versions too.

I can't reproduce this problem, either using the PERL script you provide or
by using other methods to generate unusual URLs or HTTP requests, including
URLs and HTTP requests that contain more than 2^32 bytes.

I've also reviewed the vqServer code that retrieves and parses URLs. The
code contains a mechanism that insulates the server from attacks such as the
one you describe.

vqServer is a Java program, so there's automatic built-in protection against
buffer overruns. If an overrun occurs, the JVM traps it, the connection is
terminated and the memory is recovered.

It's possible that you've managed to produce a buffer overrun type problem
in some other component of your test system, such as a proxy server or
firewall, and are misinterpreting this as a vqServer problem.

If you do find a genuine, reproducible problem in vqServer, please report it
to me directly by email. We fix most bugs within 48 hours and post updates
on the vqServer web site as soon as they are available. However, it might
take us a while to find bug reports posted to newsgroups. Anonymous or
semi-anonymous newsgroup postings which are misleading on incorrect don't
help anyone.

Finally, because vqServer is a Java program, the same version runs on all
platforms. And version 1.9.49 is later or higher than version 1.9.47.

Steve Shering
vqSoft