A little googling showed me the following (taken from here: http://artofhacking.com/files/phrack/phrack55/P55-07.TXT):

Quoting "Rain Forest Puppy":

You see, Perl allows NUL characters in its variables as data. Unlike C, NUL is not a string delimiter. So, "root" != "root\0". But, the underlying system/kernel calls are programmed in C, which DOES recognize NUL as a delimiter. So the end result? Perl passes "rfp\0.db", but the underlying libs stop processing when they hit the first (our) NUL.

What if we had a script that allowed trusted junior admins to change passwords on anyone's account EXCEPT root? The code could be:

    $user=$ARGV[1]  # user the jr admin wants to change
    if ($user ne "root"){
        # do whatever needs to be done for this user }

    (**NOTE: this is here in WAY simplistic form & theory just to
        illustrate the point)
[download]

So, if the jr. admin tries 'root' as the name, it won't do anything. But, if the jr. admin passes 'root\0', Perl will succeed the test, and execute the block. Now, when systems calls are piped out (unless it's all done in Perl, which is possible, but not likely), that NUL will be effectively dropped, and actions will be happening on root's record.

While this is not necessarily a security problem in itself, it is definitely an interesting feature to watch for. I've seen many CGIs that tack on a ".html" to some user-submitted form data for the resulting page. I.e.

    
    page.cgi?page=1
[download]

winds up showing me 1.html. Semi-secure, because it adds ".html" page, so you'd think, at worst, it'd only show HTML pages. Well, if we send it

    page.cgi?page=page.cgi%00      (%00 == '\0' escaped)
[download]

then the script will wind up feeding us a copy of its own source! Even a check with Perl's '-e' will fail:

    $file="/etc/passwd\0.txt.whatever.we.want";
    die("hahaha!  Caught you!) if($file eq "/etc/passwd");
    if (-e $file){
        open (FILE, ">$file");}
[download]

This will succeed (if there is, in fact, an /etc/passwd), and open it for writing.

Solution? Simple! Remove NULs. In Perl, it's as simple as

    
    $insecure_data=~s/\0//g;
[download]

Note: don't escape them with the rest of the shell metacharacters. Completely remove them.

Please note:The indented text is not my own, I just thought it answered Nik's question and formatted it for our forum.

s**lil*;  $*=join'',sort split q**;  s;.*;grr; &&s+(.(.)).+$2$1+; $; =
qq-$_-;s,.*,ahc,;$,.=chop for split q,,,reverse;print for($,,$;,$*,$/)
[download]