短文件名原因:当IIS接收到一个文件路径中包含~的请求时,根据文件是否存在返回值是不同的
解决办法:
IIS 6.0可以安装urlscan,配置禁止url中含有“~”;
IIS 7.0以上可以安装URLWriter工具,配置禁止url中含有“~”;
Url Writer配置
在 webconfig的<system.webServer>节点中加入
<rewrite>
<rule name="RequestBlockingRule2" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{URL}" pattern="*~*" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>
</rules>
</rewrite>
配置上这一句可以解决 HOST头攻击的漏洞
```xml
<rule name="RequestBlockingRule1" patternSyntax="Wildcard" stopProcessing="true">
<match url="*" />
<conditions>
<add input="{HTTP_HOST}" pattern="你服务器的请求头" />
</conditions>
<action type="CustomResponse" statusCode="403" statusReason="Forbidden: Access is denied." statusDescription="You do not have permission to view this directory or page using the credentials that you supplied." />
</rule>