[13616] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Disable Parent Paths

daemon@ATHENA.MIT.EDU (Robert Zachary)
Mon Jan 31 16:32:43 2000

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id:  <8F0F57AEE769D211B6410008C756E13B05A92F36@ntmailk.tandy.com>
Date:         Mon, 31 Jan 2000 09:37:47 -0600
Reply-To: Robert Zachary <RZacha1@TANDY.COM>
From: Robert Zachary <RZacha1@TANDY.COM>
X-To:         "BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>,
              "howto@LISTSERV.NTSECURITY.NET" <howto@LISTSERV.NTSECURITY.NET>,
              "ntsecurity@iss.net" <ntsecurity@iss.net>
To: BUGTRAQ@SECURITYFOCUS.COM

Writing a new IIS policy :

summary: Parent Paths allows you to use '..' in calls to MapPath and the
like. By default this option is enabled and should be disabled. To disable
this option go to the root of the Web site in question, right click select
Properties | Home Directory | Configuration | App Options and uncheck Enable
Parent Paths.

my question: What security hole/hack does this create if left enabled?.

Rob


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[13616] in bugtraq

Disable Parent Paths

daemon@ATHENA.MIT.EDU (Robert Zachary)Mon Jan 31 16:32:43 2000

daemon@ATHENA.MIT.EDU (Robert Zachary)
Mon Jan 31 16:32:43 2000