White Paper: 0x00 vs ASP file upload scripts

To: "Bugtraq@Securityfocus. Com" <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: White Paper: 0x00 vs ASP file upload scripts
From: "Brett Moore" <brett.moore@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 13 Jul 2004 14:52:15 +1200
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

We are proud to announce the release of our latest white paper
titled 0x00 vs ASP file upload scripts.

.Abstract.
The affects of the `Poison NULL byte` have not been widely
explored in ASP, but as with other languages the NULL byte
can cause problems when ASP passes data to objects.

Many upload systems written in ASP suffer from a common
problem whereby a NULL byte can be inserted into the filename
parameter leading to any extension, after the null byte,
being ignored when writing the file. 

This means that in some cases it is possible to bypass 
checks for valid extensions, even if one is appended by the 
application. This is very similar to attacks against perl and 
PHP, the difference being how the null byte is sent to the 
application.

This problem arises when data is compared and validated in ASP 
script but passed to the FileSystemObject without checking for 
NULL bytes.

This document will discuss how ASP upload scripts can be 
affected by the Poison NULL byte attack.

.Download.
This white paper is freely available for download from our website
www.security-assessment.com under the releases->white papers section.

Any feedback or follow up to this is most welcome,

Regards

Brett Moore
Network Intrusion Specialist, CTO
Security-Assessment.com Ltd
www.security-assessment.com 


######################################################################
CONFIDENTIALITY NOTICE: 

This message and any attachment(s) are confidential and proprietary. 
They may also be privileged or otherwise protected from disclosure. If 
you are not the intended recipient, advise the sender and delete this 
message and any attachment from your system. If you are not the 
intended recipient, you are not authorised to use or copy this message 
or attachment or disclose the contents to any other person. Views 
expressed are not necessarily endorsed by Security-Assessment.com 
Limited. Please note that this communication does not designate an 
information system for the purposes of the New Zealand Electronic 
Transactions Act 2003.
######################################################################

Follow-Ups:
- Re: White Paper: 0x00 vs ASP file upload scripts
  - From: Martin Eiszner

Prev by Date: Re: aterm 0.4.2 tty permission weakness
Next by Date: The Impact of RFC Guidelines on DNS Spoofing Attacks
Previous by thread: Re: Trend Micro Officescan for Win2k strange behaviour
Next by thread: Re: White Paper: 0x00 vs ASP file upload scripts
Index(es):
- Date
- Thread