WA000-WI6084 IIS6 - The FavorUTF8 registry key must be set properly.

Information

Http.sys is the kernel mode driver that handles HTTP requests. There are several registry keys associated with http.sys. The FavorUTF8 registry key allows URLs to be decoded as UTF-8 before any other encoding.

Overlong encoding forms have been used to bypass security validations in high profile products including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before conversion from UTF-8, and it is generally much simpler to handle overlong forms before any input validation is done.

To maintain security in the case of invalid input, there are two options. The first is to decode the UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an error or text the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but this relies on any other software that the data is passed to safely handling the invalid data.

Solution

Use the registry editor and navigate to the following location in the registry- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters Set the ' FavorUTF8' key to REG_DWORD 1, add the key if it does not exist.

See Also

http://iasecontent.disa.mil/stigs/zip/July2015/U_IIS_6-0_V6R16_STIG.zip

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-10, CAT|II, Rule-ID|SV-38162r1_rule, STIG-ID|WA000-WI6084_IIS6, Vuln-ID|V-13716

Plugin: Windows

Control ID: 3527a6e4a957ae1601d69f0f180dd8ad85e4e80434d7c24d74f219c5609b780b