<a href="http://g.adspeed.net/ad.php?do=clk&zid=14678&wd=728&ht=90&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=14678&wd=728&ht=90&pair=as" alt="i" width="728" height="90"/></a>

Nmap Security Scanner

Docs
Security Lists

Full Disclosure

More
Security Tools

Packet crafters

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

edgeos

Bugtraq: Re: Disable Parent Paths

Re: Disable Parent Paths

From: Justin King <JKing_at_GFPGROUP.COM>
Date: Mon, 31 Jan 2000 15:39:23 -0500

Some web developers call MapPath on form input to find out where to get/save
files... allowing Parent Paths could mean an unauthorized file viewage or
overwrite.

-Justin

-----Original Message-----
From: Robert Zachary [mailto:RZacha1_at_TANDY.COM]
Sent: Monday, January 31, 2000 10:38 AM
To: BUGTRAQ_at_SECURITYFOCUS.COM
Subject: Disable Parent Paths

Writing a new IIS policy :

summary: Parent Paths allows you to use '..' in calls to MapPath and the
like. By default this option is enabled and should be disabled. To disable
this option go to the root of the Web site in question, right click select
Properties | Home Directory | Configuration | App Options and uncheck Enable
Parent Paths.

my question: What security hole/hack does this create if left enabled?.

Rob
Received on Feb 01 2000

This message: [ Message body ]
Next message: Simple Nomad: "Re: RedHat 6.1 /and others/ PAM"
Previous message: Dug Song: "Re: Tempfile vulnerabilities"
Next in thread: Gary Geisbert: "Re: Disable Parent Paths"
Maybe reply: Gary Geisbert: "Re: Disable Parent Paths"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]

edgeos