was patched in version 1.3.37,
It probably still affects a large number of systems out there.
Ah, that explains a lot... I'd known about that issue quite a while ago but thought they had that nailed in 2.x - I was hoping you could pop one of my machines and show me how it's done. I am all 2.0 on net-facing machines.
Also, I'd assume that a BO error will pass normally over a firewall - because the packets are just sent as is if they're port-forwarded to a box behind the wall... do you happen to know anything about that as well?
Anyway, in my mind it's impossible to completely secure a web server, no matter how foolproof, against something as simple as a buffer overflow attack or a denial of service attack for that matter. You just don't think that way when you're coding it to begin with. I try, but try as I might, I can never think of enough attack vectors to keep my apps entirely secure.
DDOS of course... that really has nothing to do wiht a server per se... more with the notion of simply overloading a systemn - which can happen with anything at all - put 1000x more in than it was built to handle and it will break. But regarding BO errors, I believe it is possible to limit, or even completely eliminate the possibility of a BO by simply watching data passing through - create a channel narrow enough that you can deal with every possibility of what comes through there and you should have it... I'd expect that this is how the built the 2.0 versions...
If you hear of stuff along this line I'd really like you to post about it because it is something that the majority of webmasters (guilty here as well) just don't take enough time to think about. Although I have pretty hardened systems and walls, there is always someone out there more clever than me...
Thanks for the post VS