我正在使用IIS(Microsoft-IIS/7.5),返回403禁止访问,但我无法弄清原因。 我已经缩小了范围,发现只有在单个字母之前出现%2F
时才会出现问题。 有任何想法是什么原因造成的吗?
这些有效...
- http://example.com/mySite123/index.cfm?x=blah%2Fblah
- http://example.com/mySite123/index.cfm?x=blah%2F
- http://example.com/mySite123/index.cfm?x=123%2F
- http://example.com/mySite123/index.cfm?x=%2F
但是,如果您在%2F
前加上任何单个字母,它将失败并显示403错误。
以下这些失败...
- http://example.com/mySite123/index.cfm?x=a%2F
- http://example.com/mySite123/index.cfm?x=b%2F
- http://example.com/mySite123/index.cfm?x=c%2F
- ...
- http://example.com/mySite123/index.cfm?x=z%2F
- http://example.com/mySite123/anything.anything?anything=x%2Fanything
谢谢!
更新: 我已排除ColdFusion,因为它会出现相同的403错误:http://example.com/mySite123/indexdotcfm?x=a%2F
更新:
Top Level IIs:
Checked:
Allow unlisted file name extensions
Allow unlisted verbs
Allow high-bit characters
Unchecked:
Allow double escaping
Request Limits:
Maximum allowed content length (Bytes): 30000000 Maximum URL length (Bytes):
4096 Maximum query string (Bytes): 2048
Sites
mySite123:
Checked:
Allow unlisted verbs
Allow high-bit characters
Unchecked:
Allow unlisted file name extensions
Allow double escaping
Request Limits:
Maximum allowed content length (Bytes): 2147483647
Maximum URL length (Bytes): 4096
Maximum query string (Bytes): 2048
Deny URL
/CFIDE/Administrator
/CFIDE/adminapi
更新:如果我更改所访问的目录,我可以将403错误更改为404错误。例如:
这会返回预期的404错误: http://www.example.com/anything.anything?anything=x%2Fanything
这会返回403错误: http://www.example.com/mySite123/anything.anything?anything=x%2Fanything
那么可以安全地假设403错误与“mySite123”虚拟目录设置有关吗?