Tuesday, July 21, 2009

Enable Parent Paths Is Disabled by Default in IIS 6.0

SYMPTOMS


When you try to view an Active Server Pages (ASP) page that is running on Internet Information Services (IIS) 6.0, you may receive one of the following error messages in your browser:

If the Show Friendly Http Error Messages check box in Microsoft Internet Explorer is not selected:

Server.MapPath()error 'ASP 0175 : 80004005' Disallowed Path Characters

or

ASP error 0131 The include file <%filename.ext%> cannot contain '..' to indicate the parent directory. /<%path%>/<%filename.ext%>, line <%number%>

If the Show Friendly Http Error Messages check box in Microsoft Internet Explorer is selected:

The Page Cannot Be Displayed

or

HTTP 500-Internal server error

CAUSE



You receive this error message if the application calls an ASP method that requires the Parent Paths option to be enabled. The exact error message depends on the method that is being called.

By default, the Parent Paths option is enabled in IIS 5.0, but it is disabled by default in IIS 6.0.


MORE INFORMATION



The Parent Paths option (the AspEnableParentPaths metabase property) permits you to use ".." in calls to functions such as MapPath by allowing paths that are relative to the current directory using the ..\notation. Setting this property to True may constitute a security risk because an include path can access critical or confidential files outside the root directory of the application.

If your application contains a Web page that contains the #include server-side include directive and uses ".." notation to refer to a parent directory, you will experience this issue when the application is run on IIS 6.0 with the default setting.

HOW TO SOLVE



To resolve this problem without changing the application:

1. Click Start, click Administrative Tools, and then click Internet Information Services (IIS) Manager.
2. Double-click your computer name in the left pane, and then double-click Web Sites.
3. Locate the Web site and directory that houses the ASP application.
4. Right-click the application site or directory, and then click Properties.
5. Select Home Directory, and then click Configuration.
6. Click Options, and then click to select the Enable Parent Paths check box.
7. Click OK two times.

Source : http://support.microsoft.com/kb/332117
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)