Also: http://support.microsoft.com/kb/184717/
NOTE: Disabling ASP Parent Paths will only affect the execution of dynamic content on .asp pages. This does not affect the server's ability to reference static content using HTML code (whether it is called from .htm, .html or .asp files). The following line in a default.asp would properly display the image without returning an ASP 0131 error, even after AspEnableParentPaths = False: -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Monday, April 03, 2006 5:30 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.1 Is Out Wrongggggggggg. Enabling parent paths doesn't allow you to actually enter ../../../../../ and transverse directories into your URL string! http://support.microsoft.com/default.aspx?scid=kb;en-us;332117 It simply allows you to use ../ in your ASP and SSI includes! Goodness gracious. PS - Please use plain text unless you have a particularly compelling reason to post in HTML. ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, April 03, 2006 5:27 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.1 Is Out I beg to differ. IMO, Enabling Parent Paths is one of the biggest security risks for a Web server, and IIS disables them by default because of this. Most exploits require multiple configuration mistakes to exploit, and if you enable Parent Paths, it increases your likelihood of being hacked many times over. If you look at your logging of websites on your server, you will likely see entries around 200 at a time from script kiddies, most of which are seeking to exploit configurations where parent paths are enabled. The proper way to approach this would be to create a virtual directory under the website, and configure an exclusive group as having permissions for the Declude directory. Matt Jay Sudowski - Handy Networks LLC wrote: Practically speaking, the security risks related to parent paths are near zero. On scale of 0 to 100, having parent paths enabled would be a .01, assuming your NTFS permissions are tight. -Jay -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Monday, April 03, 2006 5:09 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.1 Is Out >From the readme.html: "Parent paths must be enabled." Sorry, no they will not be enabled. That is a security risk I am not going to open up on my server. John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Monday, April 03, 2006 1:45 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude 4.1 Is Out http://www.declude.com/Articles.asp?ID=186 Aside from the web admin, are there any other fixes or feature enhancements? The release notes reference 4.0.9.4 ... Thanks! ----- Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
