ABSTRACT

The affects of the `Poison NULL byte` have not been widely explored in ASP, but
as with other languages the NULL byte can cause problems when ASP passes
data to objects.

Many upload systems written in ASP suffer from a common problem whereby a
NULL byte can be inserted into the filename parameter leading to any extension,
after the null byte, being ignored when writing the file.

This means that in some cases it is possible to bypass checks for valid
extensions, even if one is appended by the application.

This is very similar to attacks against perl and PHP, the difference being how the
null byte is sent to the application.

This problem arises when data is compared and validated in ASP script but
passed to the FileSystemObject without checking for NULL bytes.
This document will discuss how ASP upload scripts can be affected by the Poison
NULL byte attack.