>*snip* > >my question: What security hole/hack does this create if left enabled?. > > *snip* That all depends on how well the box is already configured.. =/ However, one of the most notable problems is with Allow Parent Paths enabled, an ASP script using the FileSystemObject coupled with Server.MapPath(), can open up the source for scripts/files (or even worse, write something into the other scripts/files). This was illustrated in an advisory released by l0pht a few months ago, which used a script that IIS installs by default. It used the sample file (showcode.asp I believe) to open up files like global.asa, which could reveal database user/pass's as well as all sorts of information. Gary Geisbert =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Senior Systems Engineer garyat_private Newsletters.com http://www.newsletters.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:38 PDT