404 Error when accessing Confluence space or page via IIS
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
You see a 404 Error Not Found when trying to browse a space or page: "HTTP Error 404.11 - Not Found. The request filtering module is configured to deny a request that contains a double escape sequence."
Cause
By default, IIS7 rejects URLs that contain a double escaping sequence such as '+'. For example, the url http://localhost:8090/display/TT/Test+Test+Startseite will be rejected by IIS7 because it contains a '+' character.
Resolution
Disable the double escape validation in IIS7 by doing the following steps on IIS Manager :
Stop your website.
Select your site and click in Request Filtering.
Then click in Edit Feature Settings:
Check Allow double escaping and hit OK:
Start your site on IIS and check if you can reproduce the error again.
With the question of either leaving the '+' in place or converting those characters to spaces, be aware of the possibility that your rule engine may allow access to a non-Admin. For example, let's say an attacker enters http://myserver/my+vdir, and you have a rule looking for "my vdir". Your authorization rule won't match because your authorization code searches for the string "my+vdir" but your rule says "my vdir". As a result your rule won't apply and the attacker gets access.
Was this helpful?