I worked a case recently with FIM CM where the user was unable to search for requests with the Bulk Client to print smart cards.
After a few lengthy troubleshooting sessions I stumbled across Double Escapes. The resolution to the case was to add a “true” condition for double escapes in either the IIS server or the website for the FIM CM Portal.
There are two methods to implement the fix:
to the following files:
Automatically changing the files with the following command:
Appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True
appcmd set config "Default Web Site" /section:system.webServer/Security/requestFiltering -allowDoubleEscaping:True /commit:appHost
Double escapes can become a security hole for an IIS server. In our case, the customer was not concerned with the security hole that allowing double escapes created since the server was internal to the company, only 2 people had access to it and the site
was only accessed from a single Windows 7 client where the Bulk Client for FIM CM was installed
So what are Double Escapes?
Forgive me but I am not an IIS expert, but Double Escapes are the ability for an IIS server to interpret something like (FirstName LastName) into FirstName%20Lastname. Potentially this could give someone the ability to inject SQL code or java into a URL which
could possibly lead to code execution.
For more information:
Error message when you visit a Web site that is hosted on IIS 7.0: "HTTP Error 404.11 – URL_DOUBLE_ESCAPED"