Warning! Audit Deprecated
Information
Vulnerability Key: V0013716
IA Controls: ECSC-1 Security Configuration Compliance
Categories: 2.2 Least Privilege
Severity: Category II
Ref: WEB SERVER SECURITY TECHNICAL IMPLEMENTATION GUIDE Section 2.1
If non-zero, Http.sys always tries to decode a URL as UTF-8 first; if that conversion fails and EnableNonUTF8 is non-zero, Http.sys
then tries to decode it as ANSI or DBCS. If zero (and EnableNonUTF8 is non-zero), Http.sys tries to decode it as ANSI or DBCS; if that
is not successful, it tries a UTF-8 conversion. Overlong forms have been used to bypass security validations in high profile products
including Microsoft's IIS web server. Therefore, great care must be taken to avoid security issues if validation is performed before
any input validation is done. To maintain security in the case of invalid input, there are two options. The first is to decode the
UTF-8 before doing any input validation checks. The second is to use a decoder that, in the event of invalid input, returns either an
error or text that the application considers to be harmless. Another possibility is to avoid conversion out of UTF-8 altogether but
this relies on any other software that the data is passed to safely handling the invalid data.
Responsibility: Web Administrator
NOTE: If check WA000-WI6082 is set correctly to '0', this registry key is optional and would not be finding if it is not present.