Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
FIX: Embedded Null Characters May Bypass Request Script Validation
Article ID: 821349 - View products that this article applies to.
Embedded null characters in some postions in a URL may not be detected as tags and may bypass the request script validation functionality.
This problem occurs because during parsing, the ASPNET scripting tag detection mechanism looks for an angle bracket ("<") that is followed by a letter or by an exclamation point ("!"). When the tag detection mechanism finds a null character instead, the script does not see the angle bracket ("<") as a tag.
To reproduce this problem, follow these steps:
How to Obtain the HotfixThis issue is fixed in the June 2003 ASP.NET Hotfix Package 1.1. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
821156You cannot obtain this fix individually. You must install the rollup.
(http://support.microsoft.com/kb/821156/ )INFO: ASP.NET 1.1 June 2003 Hotfix Rollup Package
Note When you request this hotfix, you receive the rollup. The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File name ----------------------------------------------------------------------- 07-Jun-2003 00:44 1.1.4322.910 253,952 Aspnet_isapi.dll 07-Jun-2003 00:44 1.1.4322.910 20,480 Aspnet_regiis.exe 07-Jun-2003 00:44 1.1.4322.910 32,768 Aspnet_wp.exe 15-May-2003 23:49 33,522 Installpersistsqlstate.sql 15-May-2003 23:49 34,150 Installsqlstate.sql 07-Jun-2003 12:52 1.1.4322.910 1,216,512 System.dll 07-Jun-2003 00:39 14,472 Webuivalidation.js 07-Jun-2003 12:52 1.1.4322.910 1,249,280 System.Web.dll
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
Article ID: 821349 - Last Review: October 25, 2005 - Revision: 2.3