Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

FIX: Embedded Null Characters May Bypass Request Script Validation


View products that this article applies to.

Symptoms

Embedded null characters in some postions in a URL may not be detected as tags and may bypass the request script validation functionality.

↑ Back to the top


Cause

This problem occurs because during parsing, the ASPNET scripting tag detection mechanism looks for an angle bracket ("<") that is followed by a letter or by an exclamation point ("!"). When the tag detection mechanism finds a null character instead, the script does not see the angle bracket ("<") as a tag.

To reproduce this problem, follow these steps:
  1. Create a simple Web page, and name it echo.aspx.
  2. Add the following code to echo.aspx:
    <%
    	Response.Write(Request.QueryString("stringtext"))
    %>
  3. Request the page by using an embedded null character after the opening. For example, go to the following URL:
    http://localhost/echo.aspx?stringtext=<%00script>alert('Hello');</script>
    The request will render script or active content. The expected result is a request validation error or inert content.

↑ Back to the top


Resolution

How to Obtain the Hotfix

This issue is fixed in the June 2003 ASP.NET Hotfix Package 1.1. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
821156 INFO: ASP.NET 1.1 June 2003 Hotfix Rollup Package
You cannot obtain this fix individually. You must install the rollup.

Note When you request this hotfix, you receive the rollup. The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
	           Date         Time   Version       Size       File name
		   -----------------------------------------------------------------------
		   07-Jun-2003  00:44  1.1.4322.910    253,952  Aspnet_isapi.dll
		   07-Jun-2003  00:44  1.1.4322.910     20,480  Aspnet_regiis.exe
		   07-Jun-2003  00:44  1.1.4322.910     32,768  Aspnet_wp.exe
		   15-May-2003  23:49                   33,522  Installpersistsqlstate.sql
		   15-May-2003  23:49                   34,150  Installsqlstate.sql
		   07-Jun-2003  12:52  1.1.4322.910  1,216,512  System.dll
		   07-Jun-2003  00:39                   14,472  Webuivalidation.js
		   07-Jun-2003  12:52  1.1.4322.910  1,249,280  System.Web.dll

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

↑ Back to the top


Keywords: KB821349, kbbug, kbqfe, kbhttp, kbfix, kbnetframe100presp3fix, kbqfe, kbhotfixserver

↑ Back to the top

Article Info
Article ID : 821349
Revision : 5
Created on : 10/25/2005
Published on : 10/25/2005
Exists online : False
Views : 700