On a dedicated server where you have more control over
the permissions, I think you can use parent paths without "many"
problems.
I am an asp programmer and rely on them for my include
files etc.
Its when you use some of the control panel software
that puts permissions about the root of sites you start to get
problems.
I had loads of problems with Ensim on Win 2000 giving
access to a couple of directories above the root of the site allowing some
people to upload files where they should not have.
The switch over to 2003 and manually configuring my
server solved that.
Install url scan and use the IIS lockdown tool. this will stop all
../../../ attacks dead in their tracks. Rerardless of the parent
paths setting.
Kevin
Bilbee
-----Original Message----- From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]On Behalf Of
Matt Sent: Monday, April 03, 2006 2:38 PM To:
Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude
4.1 Is Out
Jay,
This
is incorrect. You can traverse directories within your root using "../"
with Parent Paths disabled, but if you enable it, you can go outside your root
so long as the file permissions allow it. Here's a quote from the KB
article that you linked to:
"The Parent Paths option (the AspEnableParentPaths metabase
property) permits you to use ".." in calls to functions such as MapPath by
allowing paths that are relative to the current directory using the
..\notation. Setting this property to True may constitute a security risk
because an include path can access critical or confidential files outside
the root directory of the
application."
Matt
Jay Sudowski - Handy
Networks LLC wrote:
Wrongggggggggg.
Enabling parent paths doesn't allow you to actually enter ../../../../../ and transverse directories into your URL string!
http://support.microsoft.com/default.aspx?scid=kb;en-us;332117
It simply allows you to use ../ in your ASP and SSI includes!
Goodness gracious.
PS - Please use plain text unless you have a particularly compelling reason to post in HTML.
________________________________________
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matt
Sent: Monday, April 03, 2006 5:27 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] Declude 4.1 Is Out
I beg to differ. IMO, Enabling Parent Paths is one of the biggest security risks for a Web server, and IIS disables them by default because of this. Most exploits require multiple configuration mistakes to exploit, and if you enable Parent Paths, it increases your likelihood of being hacked many times over. If you look at your logging of websites on your server, you will likely see entries around 200 at a time from script kiddies, most of which are seeking to exploit configurations where parent paths are enabled.
The proper way to approach this would be to create a virtual directory under the website, and configure an exclusive group as having permissions for the Declude directory.
Matt
Jay Sudowski - Handy Networks LLC wrote:
Practically speaking, the security risks related to parent paths are
near zero. On scale of 0 to 100, having parent paths enabled would be a
.01, assuming your NTFS permissions are tight.
-Jay
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of John T (Lists)
Sent: Monday, April 03, 2006 5:09 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] Declude 4.1 Is Out
>From the readme.html:
"Parent paths must be enabled."
Sorry, no they will not be enabled. That is a security risk I am not
going
to open up on my server.
John T
eServices For You
"Seek, and ye shall find!"
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED]] On Behalf Of Jay Sudowski - Handy Networks LLC
Sent: Monday, April 03, 2006 1:45 PM
To: Declude.JunkMail@declude.com
Subject: [Declude.JunkMail] Declude 4.1 Is Out
http://www.declude.com/Articles.asp?ID=186
Aside from the web admin, are there any other fixes or feature
enhancements? The release notes reference 4.0.9.4 ...
Thanks!
-----
Jay Sudowski // Handy Networks LLC
Director of Technical Operations
Providing Shared, Reseller, Semi Managed and Fully Managed Windows
2003
Hosting Solutions
Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX
www.handynetworks.com
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.
|