Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


January 2002

Benefits and Pitfalls of Disabling Parent Paths

From the January 2002 Edition
of Windows Web Solutions
Brett Hill
IIS Informant
InstantDoc #23278
Windows Web Solutions
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows Web Solutions | See More IIS and Web Administration Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here

I've recently become responsible for administering my company's corporate Web server. After reviewing the configuration, I've suggested disabling parent paths because of security concerns. The company's developers complain that disabling the paths would be overly restrictive and cause them to lose the portability of relative pathnames. IIS requires that if I disable parent paths, I change all instances of file references from relative pathnames (e.g., ../../images/ image.jpg) to absolute pathnames (e.g.,/graphics/pictures/images/image.jpg). I'm not a developer—could you explain this feature and its impact?

You're right that parent paths are best disabled. (Note that parent paths are enabled by default.) Parent paths refers to the ability to use a double period (i.e., ..) in the pathname to refer to a folder above the current folder so that you can move up the folder tree without knowing the folder name or where you are in the hierarchy. The security risk of parent paths is that intruders can upload and run a script to move up the folder tree. When the script reaches the root, it can move down from there into known folders that might have elevated privileges (e.g., C:\wwwroot\inetpub\scripts, which has Everyone Full Control permission by default, or C:\winnt\system32).

To locate the Enable Parent Paths option, open a Web site's Properties dialog box, click the Home Directory tab, then click Configuration to access the Application Configuration dialog box. (Note that the Configuration button is enabled only if you've created an application in the Web site. You can also create an application in this way for directories and virtual directories.) Click the App Options tab, which Figure 2 shows, to reveal the configuration choices. You can configure these settings for a virtual directory or directory as well as for a Web site.

Your developers are correct that they'll need to rework some code. However, doing so might not be as bad as they make it seem. If they're using server-side include (SSI) files, they need to change

"include file="

in the code to

"include virtual=/xxx"

with a full absolute root path. You don't need to change relative hyperlinks as long as they point to a location inside the Web site structure. Fortunately, Web site content is often located directly beneath the Web site home folder.

If you have a database or other resource outside the Web structure, your developers won't be able to use ../ or ..\ to point to it from Web pages or the global.asa file. Your developers must use an absolute full pathname with a drive letter. The Server.MapPath method won't work with ..\ or ../, either.

Your developers can use variables to construct the absolute pathname and implement relative paths in their code. One method is to use Server .MapPath in the global.asa file to get the physical path up to the Web root, then assign the resulting path to an application variable. Developers can then add this variable to the path necessary for constructing the absolute path.

For example, let's say that D:\inet pub\wwwroot\yourwebroot is the path to your Web root, but your database and upload folder don't reside in the Web root but in D:\inetpub\ wwwroot\database and D:\inetpub\ wwwroot\upload, respectively. Because you've disabled parent paths, you must reference the absolute location. To work with this setup, you assign the Web root path to a temporary variable, then create an application-level variable called PathRoot to serve as the base for your relative paths. Listing 1 shows the syntax for the necessary code. In this way, you can implement addressing outside the Web root without having to hard-code your locations. For more information about parent paths, see the Microsoft articles "Err Msg: Active Server Pages, ASP 0131 Disallowed Parent Path" (http://support.microsoft.com/support/kb/articles/q226/4/74.asp) and "AspEnable ParentPaths MetaBase Property Should Be Set to False" (http://support.microsoft.com/support/kb/articles/q184/7/17.asp). Many thanks to Carl Reiss for the answer to this question.

End of Article

Reader Comments
In this article, you have completely ignored the developer argument that the portability of relative pathnames is lost. The solution offered does not address a common coding strategy whereby regularly-used code is held in separate files and inserted into a web page (or "Active" page using ASP, CF, PHP, SHTML, etc.) using an "include" directive, or similar. These directives are executed before "active" code, and therefore cannot be referenced by variable. This is a seriously restrictive issue for a web programmer.

I think the real answer (however unpalatable to web admins) is to lock down the system so that malicious scripts simply can't work on the basis of Windows permissions alone. It means gaining a full understanding of the security issues and overriding a default Windows installation. But why should this be a problem? It appears to be "taking the easy way out" at the expense of the developer and, more importantly, the application.

I hope this is food for thought.

Alan

Alan Shanahan October 20, 2003

Security is in the best interest of both developers and sysadmins. It's also a common coding strategy among developers to connect to SQL Server with 'sa' but as we have seen with worms like Slammer, etc. it is a bad practice.

maxismclaren September 17, 2004

It is more than just being able to upload malicious scripts, though. By traversing parent directories and coupling those results and their corresponding HTML error codes/pages with known files on webserver software, an attacker can easily discern much information about your server. Once it knows exactly what you're running, they've already got one foot in the door and will be at a much better vantage point for a more successful and harder-to-detect attack. ~Michael

Anonymous User March 03, 2005 (Article Rating: )

Your article is informative but, being a programmer, I am inclined to agree with Alan. Restricting portability is completely shattering to any application.

Foe example, the last peice of software I developed used relative paths, yet the majority of my clients could not run it because they had parent paths disabled. They now HAVE to upload the application to a certain directory, which is not always possible.

I am really hoping I can find a work around for this problem.

Regards.

Anonymous User July 19, 2005 (Article Rating: )

you can workaround this problem... just use apache web server and problem fixed

the parent paths should be disabled in IIS because bad security design, apache dont have this (and many other) problems


Anonymous User August 04, 2005 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

VMware and the Future of Virtualization

What's next for virtualization and business IT? Windows IT Pro senior editor Jeff James speaks with VMware President and CEO Diane Greene on the future of virtualization technology. ...
IIS and Web Administration Whitepapers The Five Secrets to Controlling Your SharePoint Environment

Extended Validation SSL Certificates
Related Events Check out our list of Free Email Newsletters!
IIS and Web Administration eBooks Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security
Related IIS and Web Administration Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

IT Connections
Dive into the new Microsoft platforms and products you implement and support with the experts from Microsoft, TechNet Magazine, Windows ITPro and industry gurus. There are 70+ sessions and interactive panels with networking opportunities.

Attention User Group Leaders...
Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes and add Windows IT Pro & SQL Server Mag articles alongside your own message!.

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Get SQL Server 2008 at WinConnections
Don’t miss Microsoft Exchange and Windows Connections conferences, the premier events for Microsoft IT Professionals in Las Vegas, November 10-13. Every attendee will receive a copy of SQL Server 2008 Standard Edition with one CAL.



Interested in Email Encryption?
Read about the advantages of identity-based encryption in this free report.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing