FIX: Embedded Null Characters May Bypass Request Script Validation

Article ID: 821349 - View products that this article applies to.
Expand all | Collapse all

On This Page

SYMPTOMS

Embedded null characters in some postions in a URL may not be detected as tags and may bypass the request script validation functionality.
Back to the top | Give Feedback

CAUSE

This problem occurs because during parsing, the ASPNET scripting tag detection mechanism looks for an angle bracket ("<") that is followed by a letter or by an exclamation point ("!"). When the tag detection mechanism finds a null character instead, the script does not see the angle bracket ("<") as a tag.

To reproduce this problem, follow these steps:
  1. Create a simple Web page, and name it echo.aspx.
  2. Add the following code to echo.aspx:
    <%
	Response.Write(Request.QueryString("stringtext"))
%>
  3. Request the page by using an embedded null character after the opening. For example, go to the following URL:
    http://localhost/echo.aspx?stringtext=<%00script>alert('Hello');</script>
    The request will render script or active content. The expected result is a request validation error or inert content.
Back to the top | Give Feedback

RESOLUTION

How to Obtain the Hotfix

This issue is fixed in the June 2003 ASP.NET Hotfix Package 1.1. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
821156
(http://support.microsoft.com/kb/821156/ )
INFO: ASP.NET 1.1 June 2003 Hotfix Rollup Package
You cannot obtain this fix individually. You must install the rollup.

Note When you request this hotfix, you receive the rollup. The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. 
	           Date         Time   Version       Size       File name
		   -----------------------------------------------------------------------
		   07-Jun-2003  00:44  1.1.4322.910    253,952  Aspnet_isapi.dll
		   07-Jun-2003  00:44  1.1.4322.910     20,480  Aspnet_regiis.exe
		   07-Jun-2003  00:44  1.1.4322.910     32,768  Aspnet_wp.exe
		   15-May-2003  23:49                   33,522  Installpersistsqlstate.sql
		   15-May-2003  23:49                   34,150  Installsqlstate.sql
		   07-Jun-2003  12:52  1.1.4322.910  1,216,512  System.dll
		   07-Jun-2003  00:39                   14,472  Webuivalidation.js
		   07-Jun-2003  12:52  1.1.4322.910  1,249,280  System.Web.dll

Back to the top | Give Feedback

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Back to the top | Give Feedback

Properties

Article ID: 821349 - Last Review: October 25, 2005 - Revision: 2.3
APPLIES TO
  • Microsoft Visual Studio .NET 2003 Enterprise Architect
  • Microsoft Visual Studio .NET 2003 Enterprise Developer
  • Microsoft Visual Studio .NET 2003 Professional Edition
  • Microsoft ASP.NET 1.1
Keywords: 
kbhotfixserver kbqfe kbnetframe100presp3fix kbfix kbhttp kbqfe kbbug KB821349
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top