We have a problem on a specific server. All plus signs sent to the application are replaced by spaces - in POST and GET, as well as on all pages of this site.
As a test case, I have this small page (this is an ASP server):
<html> <body> <form method="post"> <input type="text" name="Plus" id="Plus" /> <input type="submit" /> </form> Previous Value: <%= request("Plus") %><br /> Query String: <%= request.querystring %> </body> </html>
On every other server, this works well, but on one server the pluses are replaced by spaces.
Example: to enter " 1 2+3 " - the query ("Plus") - " 1 2 3 ", and the query string " 1+2+3 ". Not good. Other characters seem to be decoded correctly.
It should be said that someone tried to "harden" this server from attacks, so unclear IIS settings may be enabled (although we removed the ISAPI filter).
Thanks.
UPDATE: It turns out another filter is installed, the ISEDIClipSQLInjection.dll SQL filter from http://www.codeplex.com/IIS6SQLInjection .
The filter is buggy - it replaces the valid characters from POST and GET:
- Plus characters are replaced by spaces: "1% 2B2" β "1 + 2", same as "1 2"
- The semicolons are replaced by commas: "hello"; β "hello",
A newer version of the filter (2.0b) does not fix this, but allows certain pages to be excluded. Since it is installed in production, we decided not to remove the filter, we used javascript to change all the pluses to "+ " (with a space, not a semicolon).
Not the best solution, but what the boss wanted.
Kobi
source share