Re: Disable Parent Paths

From: Justin King (JKingat_private)
Date: Mon Jan 31 2000 - 12:39:23 PST

Next message: Eivind Eklund: "Re: S/Key & OPIE Database Vulnerability"

Previous message: Brian Hampson: "Re: SyGate 3.11 Port 7323 / Remote Admin hole"
Maybe in reply to: Robert Zachary: "Disable Parent Paths"
Next in thread: Gary Geisbert: "Re: Disable Parent Paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Some web developers call MapPath on form input to find out where to get/save
files... allowing Parent Paths could mean an unauthorized file viewage or
overwrite.

-Justin

 -----Original Message-----
From: 	Robert Zachary [mailto:RZacha1at_private]
Sent:	Monday, January 31, 2000 10:38 AM
To:	BUGTRAQat_private
Subject:	Disable Parent Paths

Writing a new IIS policy :

summary: Parent Paths allows you to use '..' in calls to MapPath and the
like. By default this option is enabled and should be disabled. To disable
this option go to the root of the Web site in question, right click select
Properties | Home Directory | Configuration | App Options and uncheck Enable
Parent Paths.

my question: What security hole/hack does this create if left enabled?.

Rob

Next message: Eivind Eklund: "Re: S/Key & OPIE Database Vulnerability"
Previous message: Brian Hampson: "Re: SyGate 3.11 Port 7323 / Remote Admin hole"
Maybe in reply to: Robert Zachary: "Disable Parent Paths"
Next in thread: Gary Geisbert: "Re: Disable Parent Paths"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:36 PDT