Re: IIS Setting "Enable Parent Path" and security implications
From: PeterB (peter_at_data.se)
Date: 02/09/05
- Next message: RealityChuck: "Eliminating domain name for login on IIS 5.0"
- Previous message: Ben McLaurin: "Re: Scripts and permissions"
- In reply to: Chris Geier: "RE: IIS Setting "Enable Parent Path" and security implications"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Feb 2005 16:26:57 +0100
Excuse my lack of web-hacking knowledge, but is this a security issue
looking from the client connecting to the server or the existing code on the
server?
I mean, can a hacker introduce ASP code with parent paths into my website
through the existing pages (input forms, address bar... you name it...) or
is it that the developer creating asp-webpages will have unlimited access to
the server?
If it is the second alternative it isn't much of a security threat if you
only have trusted web-developers, right?
In what way can a system be compromised when parent paths are enabled?
#Looking at my own development:
I'm using the sub-webroot directory as a secure place for my access database
file. If it is placed within the web-site directory tree, it is easily
downloaded if you know the full path (i.e. www.mysite.com/db/mydb.mdb) while
www.mysite.com/../mydb.mdb wouldn't work. Enabling Parent Paths won't let
the second way work either.
The problem is that if I want my site to be easily exported (between
test-server and webhotel account) I can't use the abolute path as it is
different in the two places. Hence the relative path comes in really handy
:-) I also have a bunch of application files, which I want to store in a
secure (non public downloadable) place.
Is there a better way to store sensitive databases/files that the
web-application need access to? (files inside a database is not an option)
So should I always use the absolute path when accessing these files?
Is using relative paths bad practice?
/ Peter
"Chris Geier" <chris.geier at gmail.com> skrev i meddelandet
news:C1BBE827-9957-4801-A9ED-872E683A5349@microsoft.com...
> Others have said it best, so I will copy and paste
>
> parent paths are like "../folder/folder/file.asp", notice the ../ trying
> to
> go to the "Parent Path". This would be used for like include files or a
> database path.
>
> By default, Enable parent paths is set to no. When Enable parent paths is
> set to no, a FileSystemObject object instantiated by an ASP application is
> limited to that application's defined directory. This is the most secure
> setting and is appropriate for most shared Web hosting environments.
>
>
>
> When Enable parent paths is set to yes, the FileSystemObject object can
> access files outside the ASP application directory. In this scenario, ASP
> developers can use the "../" syntax in #include statements to access any
> file
> outside of the Web directory that the ASP Server has file system
> permission
> to read.
>
> Changing Enable parent paths to yes can affect the security of your
> server.
> Before you change this setting, make sure that the ASP Server has
> permission
> to access only the files you want to be publicly accessible, and that it
> does
> not have access to sensitive files containing configuration or password
> information. You can restrict the permissions of the ASP Server by
> defining
> the user it runs under, and making sure that that user has appropriately
> restricted file system permissions.
> Note The Enable parent paths setting does not add any restrictions to
> executing Java code. For example, if you want to restrict Java code to
> access
> files within the application directory, the proper permissions should be
> in
> the bean.policy file.
>
> use absolute paths rather than parent paths.
>
> "/folder/folder/file.asp" - absolute paths that can be used from any level
> of the sites directory structure.
>
> Any one using a sub-domain or a domain should be able to refer to the
> root
> of their site using nothing more than a " / ". Using that style of path
> you
> could reduce the menus to just one file rather than two.
>
> I could be wrong here but the parent path you show looks like a relative
> path to me. Meaning it will only open a file that is in a position
> relevant
> to where the the file is being called from.
>
> Most of this could be resolved if you set a site root variable. then used
> that for all the images links etc....
>
> Parent paths are used by web developers to navigate to pages that are
> further embedded in the directory
> structure. By disabling the parent paths, one is preventing the hacker
> from
> using
> a parent path notation (i.e."../") to move around the web site.
>
>
> "IDO" wrote:
>
>> But even if this check is clear I can still make requests using "..".
>> What do you mean with view/traverse? You are talking about web request or
>> server.mappath method?
>> Can you give me an exact description of this check?
>>
>> Thank you for your interest
>>
>>
>> "Chris Geier" wrote:
>>
>> > I do not believe that to be the case. This security measure is to
>> > prevent
>> > people from being able to view/traverse some of the directories in your
>> > website, going from the website directory to its parent and so forth.
>> > and you
>> > can do this without knowing the directory structure. With this setting
>> > disabled you would have to know the directory structure to traverse it.
>> >
>> > "IDO" wrote:
>> >
>> > > I'm investigating on the security implications of the parent path.
>> > > Reading some TechNet article I get that this check influence only the
>> > > behavour of the server.matpath function and the include addressing.
>> > > So, with
>> > > this check clear you can still send request to IIS using ".." (see:
>> > > http://support.microsoft.com/default.aspx?scid=kb;en-us;184717).
>> > >
>> > > In my site I don't use the server.mappath method, it can be
>> > > considered a
>> > > security risk to enable this check? What are the possibile attacks?
>> > >
>> > > Thanks in advance
>> > > IDO
>> > >
>> > >
- Next message: RealityChuck: "Eliminating domain name for login on IIS 5.0"
- Previous message: Ben McLaurin: "Re: Scripts and permissions"
- In reply to: Chris Geier: "RE: IIS Setting "Enable Parent Path" and security implications"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
