Some web developers call MapPath on form input to find out where to get/save files... allowing Parent Paths could mean an unauthorized file viewage or overwrite. -Justin -----Original Message----- From: Robert Zachary [mailto:RZacha1at_private] Sent: Monday, January 31, 2000 10:38 AM To: BUGTRAQat_private Subject: Disable Parent Paths Writing a new IIS policy : summary: Parent Paths allows you to use '..' in calls to MapPath and the like. By default this option is enabled and should be disabled. To disable this option go to the root of the Web site in question, right click select Properties | Home Directory | Configuration | App Options and uncheck Enable Parent Paths. my question: What security hole/hack does this create if left enabled?. Rob
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:36 PDT