I worked a case recently with FIM CM where the user was unable to search for requests with the Bulk Client to print smart cards.
After a few lengthy troubleshooting sessions I stumbled across Double Escapes. The resolution to the case was to add a “true” condition for double escapes in either the IIS server or the website for the FIM CM Portal.
There are two methods to implement the fix:
Manually adding
<requestFiltering allowDoubleEscaping="true">
to the following files:
Server Specific:
Site Specific:
Automatically changing the files with the following command:
Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True /commit:appHost
Double escapes can become a security hole for an IIS server. In our case, the customer was not concerned with the security hole that allowing double escapes created since the server was internal to the company, only 2 people had access to it and the site was only accessed from a single Windows 7 client where the Bulk Client for FIM CM was installed
So what are Double Escapes? Forgive me but I am not an IIS expert, but Double Escapes are the ability for an IIS server to interpret something like (FirstName LastName) into FirstName%20Lastname. Potentially this could give someone the ability to inject SQL code or java into a URL which could possibly lead to code execution.
For more information:
Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"
Richard Mueller edited Revision 10. Comment: Removed (en-US) from title, added tags