IIS7 rejecting URLs containing + .
Here is the deal. The IIS7 request filter rejects URLs containing + characters. We do this because the + character is a dangerous choice. Some standards, e.g. the CGI standard require +'s to be converted into spaces. This can become a problem if you have code that implements name-based rules, for example urlauthorization rules that base their decisions on some part of the url.
Here is a cooked up example:
Let's suppose you have code that evaluates the following rule:
With the ambiguity of leaving +'s in place or converting +'s to spaces there is a possiblity that your rule engine allows access to a non-Admin, for example if the attacker enters http://myserver/my+vdir. The "my vdir" authorization rule won't match because your authorization code searches for the string "my+vdir" but your rule says "my vdir". Your rule won't apply and the attacker gets access.
If you absolutely want to have spaces you can simply turn off the doubleEscaping feature for your application, for your site or for the whole server. Here is an example:
%windir%\system32\inetsrv\appcmd set config "Default Web Site" -section:system.webServer/security/requestfiltering -allowDoubleEscaping:true
