AspEnableParentPaths MetaBase Property Should Be Set To False
This article was previously published under Q184717 We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx) For more information about IIS 7.0, visit the following Microsoft Web site: http://www.iis.net/default.aspx?tabid=1 (http://www.iis.net/default.aspx?tabid=1) SYMPTOMS
Active Server Pages (ASP) code that uses the following parent directory notation is enabled by default: CAUSE
The AspEnableParentPaths property in the MetaBase specifies whether an ASP
can allow paths relative to the current directory (using the ..\
notation). This may be a security risk.
In a security-enhanced environment, the AspEnableParentPaths property should be set to False, but the default installation of Internet Information Server version 4.0 sets it to True. NOTE: Disabling ASP Parent Paths will only affect the execution of dynamic content on .asp pages. This does not affect the server's ability to reference static content using HTML code (whether it is called from .htm, .html or .asp files). The following line in a default.asp would properly display the image without returning an ASP 0131 error, even after AspEnableParentPaths = False:
<img src="../images/logo.jpg">
WORKAROUND
To work around this problem, perform the following steps:
STATUS
Microsoft has confirmed this to be a problem in IIS versions 4.0 and 5.0.
| Article Translations
|
| United States | Change | | | All Microsoft Sites |
Help and Support
Back to the top
|
