Check: WA000-WI6084 IIS6
IIS6 Server:
WA000-WI6084 IIS6
(in version v6 r16)
Title
The FavorUTF8 registry key must be set properly. (Cat II impact)
Discussion
Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any other encoding. Overlong encoding forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done. To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.
Check Content
To verify this setting, use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters FavorUTF8 REG_DWORD 1 If the registry value is not set to 1, this is a finding. NOTE: If check WA000-WI6082 is set correctly to 0, this registry key is optional and would not be a finding if it is not present.
Fix Text
Use the registry editor and navigate to the following location in the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Set the " FavorUTF8" key to REG_DWORD 1, add the key if it does not exist.
Additional Identifiers
Rule ID: SV-38162r1_rule
Vulnerability ID: V-13716
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
No CCIs are assigned to this check |
Controls
Number | Title |
---|---|
No controls are assigned to this check |