Dear friends,
We have a hosting business, running IIS 7.5. I installed URLScan. Ive had issues with paths such as this
http://www.domain.com/index.php/services/products/
Unfortunately this is something that happens with tons of wordpress sites. So asking customers to change their code to fix this or putting each URL where it happens in allowed URLs or yet disabling Urlscan in each site where it happens is something Id prefer not to have to do, would be a lot of work.
So I set allowdotinpath to 1 and restarted IIS.
The problem remains, as expected, because clearly in URLscan.ini it explains that this allowdotinpath is NOT for file suffixes.
So I tried to add index.php in allowed suffixes. Also didnt help.
Is there a way for UrlScan to ignore cases as the one above?
Or maybe I can use the native IIS Http filtering and somehow customize it to detect SQL injection, etc? Or does it already do that by default?
Thanks!