The Automation Controller NGINX web server must limit the character set used for data entry.

STIG ID: APWS-AT-000610  |  SRG: SRG-APP-000251-WSR-000157 | Severity: medium |  CCI: CCI-001310

Vulnerability Discussion

It is important that Automation Controller NGINX web server limit the character set used for data entry and disallow Unicode use in hosted applications to avoid application compromise. Definition of the available character set for data entry can trap efforts to bypass security checks. The presence of nonstandard characters may cause the browser to interpret the content using a different character set than the defined one, because the system may interpret the content using a different CHARSET. Nonstandard encodings like UTF-7 can be used to bypass the application's defensive filters.

If character sets for data entry are not defined, it leaves open the door for attackers to bypass security checks and make the server vulnerable to malicious attack.

Check

As a System Administrator for each Automation Controller NGINX web server, verify the configuration requires a charset is mandatory.

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ; grep 'charset_required' $NGINXCONF || echo "FAILED"

If "FAILED" is displayed, this is a finding.

Fix

As a System Administrator for each Automation Controller NGINX web server, verify the NGINX web server configuration file in use is located at '/etc/nginx/nginx.conf'

NGINXCONF=`nginx -V 2>&1 | tr ' ' '\n' | sed -ne '/conf-path/{s/.*conf-path=\(.*\)/\1/;p}' ` ;

Add the directive to the NGINX configuration to force a required charset.

sed -i '/location/i charset_required; ' $NGINXCONF

Reload the NGINX server configurations for all NGINX processes.

$ pkill -HUP nginx
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.