IIS7 rejecting URLs containing +

thomad — Mon, 17 Dec 2007 23:52:00 GMT

If your application has a custom handler you might run into the following error message:

HTTP Error 404.11
The request filtering module is configured to deny a request that contains a double escape sequence.

Here is the deal. The IIS7 request filter rejects URLs containing + characters. We do this because the + character is a dangerous choice. Some standards, e.g. the CGI standard require +'s to be converted into spaces. This can become a problem if you have code that implements name-based rules, for example urlauthorization rules that base their decisions on some part of the url.
Here is a cooked up example:
Let's suppose you have code that evaluates the following rule:
<authorization vdir="my vdir">
<allowed users="Administrators"/>
</authorization>
With the ambiguity of leaving +'s in place or converting +'s to spaces there is a possiblity that your rule engine allows access to a non-Admin, for example if the attacker enters http://myserver/my+vdir. The "my vdir" authorization rule won't match because your authorization code searches for the string "my+vdir" but your rule says "my vdir". Your rule won't apply and the attacker gets access.

If you absolutely want to have spaces you can simply turn off the doubleEscaping feature for your application, for your site or for the whole server. Here is an example:

%windir%\system32\inetsrv\appcmd set config "Default Web Site" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true

Just Another IIS Blog : security

IIS7 rejecting URLs containing +

HTTP Error 404.11The request filtering module is configured to deny a request that contains a double escape sequence.

HTTP Error 404.11
The request filtering module is configured to deny a request that contains a double escape sequence.