|
Home > Archive > IIS Server Security > October 2004 > Parent Paths
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| news.microsoft.com 2004-10-26, 5:50 pm |
| If I've enabled Parent Paths (PP) in IIS, but have installed the URL Filter
and disallowed ".." and "../" within links, am I covered from the
vulnerabilities of PP's?
This allows me to use PP's in #Include statements, but doesn't allow
visitors to use PP's in their links to access directories on my server.
Is this correct?
TIA
| |
| Jason Brown [MSFT] 2004-10-26, 8:46 pm |
| Yes, unless a malicious user is somehow able to upload a .asp or other
active file to the server - they could then in theory do just what you're
doing and use parent paths server-side.
This kind of vulnerability is more common than you may think - if a user can
upload a file to a web-viewable directory which contains script, then a URL
filter will do no good at all. Then again if you are vulnerable to that one,
then disabling PPs server-side is the least of your worries.
--
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
"news.microsoft.com" <me@here.com> wrote in message
news:Oqxjyh3uEHA.3376@TK2MSFTNGP12.phx.gbl...
> If I've enabled Parent Paths (PP) in IIS, but have installed the URL
> Filter
> and disallowed ".." and "../" within links, am I covered from the
> vulnerabilities of PP's?
>
> This allows me to use PP's in #Include statements, but doesn't allow
> visitors to use PP's in their links to access directories on my server.
>
> Is this correct?
>
> TIA
>
>
| |
|
| Thanks for the response...
If an upload folder is present, but the Script rights are set to 'None' on
that folder, then this vulnerability should be covered, right?
i.e. They may indeed be able to upload an asp file to your upload folder,
but won't be able to run it.
Thanks,
Mike
"Jason Brown [MSFT]" <i-brjaso@online.microsoft.com> wrote in message
news:%23yysoe8uEHA.3200@TK2MSFTNGP14.phx.gbl...
> Yes, unless a malicious user is somehow able to upload a .asp or other
> active file to the server - they could then in theory do just what you're
> doing and use parent paths server-side.
>
> This kind of vulnerability is more common than you may think - if a user
can
> upload a file to a web-viewable directory which contains script, then a
URL
> filter will do no good at all. Then again if you are vulnerable to that
one,
> then disabling PPs server-side is the least of your worries.
>
>
> --
> Jason Brown
> Microsoft GTSC, IIS
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "news.microsoft.com" <me@here.com> wrote in message
> news:Oqxjyh3uEHA.3376@TK2MSFTNGP12.phx.gbl...
>
>
| |
| Jason Brown [MSFT] 2004-10-28, 8:47 pm |
| yep. as long as there's no way of influencing where the file is saved to,
that would be fine.
--
Jason Brown
Microsoft GTSC, IIS
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Mike" <me@here.com> wrote in message
news:O1tFwoPvEHA.3624@TK2MSFTNGP09.phx.gbl...
> Thanks for the response...
>
> If an upload folder is present, but the Script rights are set to 'None' on
> that folder, then this vulnerability should be covered, right?
>
> i.e. They may indeed be able to upload an asp file to your upload folder,
> but won't be able to run it.
>
> Thanks,
> Mike
>
>
> "Jason Brown [MSFT]" <i-brjaso@online.microsoft.com> wrote in message
> news:%23yysoe8uEHA.3200@TK2MSFTNGP14.phx.gbl...
> can
> URL
> one,
> rights.
>
>
|
|
|
|
|