Free DISA STIG and SRG Library | Vaulted

V-13716

The FavorUTF8 registry key must be set properly.

Finding ID
WA000-WI6084 IIS6
Rule ID
SV-38162r1_rule
Severity
Cat II
CCE
(None)
Group Title
WA000-WI6084
CCI
(None)
Target Key
(None)
Documentable
No
Discussion

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any other encoding. Overlong encoding forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done. To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.

Fix Text

Use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Set the " FavorUTF8" key to REG_DWORD 1, add the key if it does not exist.

Check Content

To verify this setting, use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters FavorUTF8 REG_DWORD 1 If the registry value is not set to 1, this is a finding. NOTE: If check WA000-WI6082 is set correctly to 0, this registry key is optional and would not be a finding if it is not present.

Responsibility

Web Administrator

IA Controls

ECSC-1