RE: [Declude.JunkMail] Declude 4.1 Is Out

[Craig Edmonds]

On a dedicated server where you have more control over the permissions, I think you can use parent paths without "many" problems.   I am an asp programmer and rely on them for my include files etc.   Its when you use some of the control panel software that puts permissions about the root of sites you start to get problems.   I had loads of problems with Ensim on Win 2000 giving access to a couple of directories above the root of the site allowing some people to upload files where they should not have.   The switch over to 2003 and manually configuring my server solved that.   Kindest Regards Craig Edmonds 123 Marbella Internet W: www.123marbella.com E : [EMAIL PROTECTED]   Marbella Guide Web Portal W: www.marbellaguide.com E: [EMAIL PROTECTED]   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Bilbee Sent: Monday, April 03, 2006 11:48 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.1 Is Out Install url scan and use the IIS lockdown tool. this will stop all ../../../ attacks dead in their tracks. Rerardless of the parent paths setting.     Kevin Bilbee          -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Matt Sent: Monday, April 03, 2006 2:38 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.1 Is Out Jay, This is incorrect.  You can traverse directories within your root using "../" with Parent Paths disabled, but if you enable it, you can go outside your root so long as the file permissions allow it.  Here's a quote from the KB article that you linked to: "The Parent Paths option (the AspEnableParentPaths metabase property) permits you to use ".." in calls to functions such as MapPath by allowing paths that are relative to the current directory using the ..\notation. Setting this property to True may constitute a security risk because an include path can access critical or confidential files outside the root directory of the application." Matt Jay Sudowski - Handy Networks LLC wrote: Wrongggggggggg. Enabling parent paths doesn't allow you to actually enter ../../../../../ and transverse directories into your URL string! http://support.microsoft.com/default.aspx?scid=kb;en-us;332117 It simply allows you to use ../ in your ASP and SSI includes! Goodness gracious. PS - Please use plain text unless you have a particularly compelling reason to post in HTML. ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt Sent: Monday, April 03, 2006 5:27 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.1 Is Out I beg to differ.  IMO, Enabling Parent Paths is one of the biggest security risks for a Web server, and IIS disables them by default because of this.  Most exploits require multiple configuration mistakes to exploit, and if you enable Parent Paths, it increases your likelihood of being hacked many times over.  If you look at your logging of websites on your server, you will likely see entries around 200 at a time from script kiddies, most of which are seeking to exploit configurations where parent paths are enabled. The proper way to approach this would be to create a virtual directory under the website, and configure an exclusive group as having permissions for the Declude directory. Matt Jay Sudowski - Handy Networks LLC wrote: Practically speaking, the security risks related to parent paths are near zero. On scale of 0 to 100, having parent paths enabled would be a .01, assuming your NTFS permissions are tight. -Jay -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists) Sent: Monday, April 03, 2006 5:09 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.1 Is Out >From the readme.html: "Parent paths must be enabled." Sorry, no they will not be enabled. That is a security risk I am not going to open up on my server. John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED]] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Monday, April 03, 2006 1:45 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude 4.1 Is Out http://www.declude.com/Articles.asp?ID=186 Aside from the web admin, are there any other fixes or feature enhancements? The release notes reference 4.0.9.4 ... Thanks! ----- Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.