Warning! Audit Deprecated
Information
Vulnerability Key: V0013714
IA Controls: ECSC-1 Security Configuration Compliance
Categories: 2.2 Least Privilege
Severity: Category II
Ref: WEB SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE Section 2.1
In Microsoft Windows Server 2003, Http.sys is the kernel mode driver that handles HTTP requests. Several registry values can be
configured according to specific requirements. The default value for this key is 0. This is also the recommended value as it
facilitates the task of input validation at the server-level. If nonzero, Http.sys accepts hex-escaped chars in request URLs that
decode to U+0000 - U+001F and U+007F - U+009F ranges. The allows potentially malicious characters to be hex-encoded by the attacker
in an attempt to bypass input validation routines.