Re: Parent Paths
From: Jason Brown [MSFT] (i-brjaso_at_online.microsoft.com)
Date: 10/27/04
- Next message: Ken Schaefer: "Re: IIS6 - Virtual Directory to URL share, authentication problems."
- Previous message: Jason Brown [MSFT]: "Re: Server.CreateObject Access Error"
- In reply to: news.microsoft.com: "Parent Paths"
- Next in thread: Mike: "Re: Parent Paths"
- Reply: Mike: "Re: Parent Paths"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 27 Oct 2004 11:52:42 +1000
Yes, unless a malicious user is somehow able to upload a .asp or other
active file to the server - they could then in theory do just what you're
doing and use parent paths server-side.
This kind of vulnerability is more common than you may think - if a user can
upload a file to a web-viewable directory which contains script, then a URL
filter will do no good at all. Then again if you are vulnerable to that one,
then disabling PPs server-side is the least of your worries.
-- Jason Brown Microsoft GTSC, IIS This posting is provided "AS IS" with no warranties, and confers no rights. "news.microsoft.com" <me@here.com> wrote in message news:Oqxjyh3uEHA.3376@TK2MSFTNGP12.phx.gbl... > If I've enabled Parent Paths (PP) in IIS, but have installed the URL > Filter > and disallowed ".." and "../" within links, am I covered from the > vulnerabilities of PP's? > > This allows me to use PP's in #Include statements, but doesn't allow > visitors to use PP's in their links to access directories on my server. > > Is this correct? > > TIA > >
- Next message: Ken Schaefer: "Re: IIS6 - Virtual Directory to URL share, authentication problems."
- Previous message: Jason Brown [MSFT]: "Re: Server.CreateObject Access Error"
- In reply to: news.microsoft.com: "Parent Paths"
- Next in thread: Mike: "Re: Parent Paths"
- Reply: Mike: "Re: Parent Paths"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
