A 403 error means "access denied" usually because the user does not have privileges. Simply adding some garbage to the end of the path is generally not something that would change this condition. But your server seems to be saying /any-folder/ is off limits (perhaps unless the user is authenticated), but something more revealing (file not found) if they just add some garbage to the end.

We used McAffee ScanGuard for a while, and at first I thought their error reporting was a little overzealous, but this probably shouldn't happen -- if there's a directory that's off limits, it's probably good practice to ensure that it also gets a 403 forbidden error as well. This isn't so much of an error as it is a way that spammers/hackers can use to see how the server responds to various requests and look for exploits. If /any-folder/ is off limits, then /any-folder/{some garbage} most likely should be, as well.

Tom

Any ideas on how to make both /any-folder/ and /any-folder/hex-encoded-stuff both give the 403 forbidden messages at all?

Thanks,

Stephen

Easy fix: Deny requests for all percent-encoded HTTP Methods, URL-paths, query-strings, fragments, and protocols:

RewriteCond %{THE_REQUEST} ^[^%]*\%
RewriteRule ^ - [F]

This in addition to the usual "Options -Indexes" should take care of it.

Jim