A malicious attacker could also bypass IDS's that do a string length check
as means to identify the .printer overflow.
(the overflow occurs in a string concatenation function, not a copy :)
For example:
--
GET /X.printer HTTP/1.1
Host: 50 bytes
A lot of Intrusion Detection Systems are only look for Host: strings when
dealing with web server attacks that do bad things with the Host: field.
An example of that would be the .printer ISAPI overflow that eEye released a
few weeks or so ago.
We have seen three distinct patterns in signatures