mailing list archives
Re: Disable Parent Paths
From: gary () NEWSLETTERS COM (Gary Geisbert)
Date: Mon, 31 Jan 2000 15:48:57 -0500
my question: What security hole/hack does this create if left enabled?.
That all depends on how well the box is already configured.. =/ However,
one of the most notable problems is with Allow Parent Paths enabled, an ASP
script using the FileSystemObject coupled with Server.MapPath(), can open up
the source for scripts/files (or even worse, write something into the other
This was illustrated in an advisory released by l0pht a few months ago,
which used a script that IIS installs by default. It used the sample file
(showcode.asp I believe) to open up files like global.asa, which could
reveal database user/pass's as well as all sorts of information.
Senior Systems Engineer gary () newsletters com