You don't need a shell for a nul to be a security problem. See (tye)Re: CGI OO 'param' vs. hash.

As for the PerlMonks issue, I don't see a whole lot of point in having nul bytes in PM URLs be treated nicely. I doubt they can be supported in the underlying database so they have no use so why shouldn't they give you a useless page?

So long as they are detected and prevented from doing damage, I'm happy (I'm not sure that they are being detected but it certainly could be that the nul detector just dies and that triggers the 500 error, which is fine with me).