Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


January 2002

Benefits and Pitfalls of Disabling Parent Paths

From the January 2002 Edition
of Windows Web Solutions
Brett Hill
IIS Informant
InstantDoc #23278
Windows Web Solutions
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows Web Solutions | See More IIS and Web Administration Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here

I've recently become responsible for administering my company's corporate Web server. After reviewing the configuration, I've suggested disabling parent paths because of security concerns. The company's developers complain that disabling the paths would be overly restrictive and cause them to lose the portability of relative pathnames. IIS requires that if I disable parent paths, I change all instances of file references from relative pathnames (e.g., ../../images/ image.jpg) to absolute pathnames (e.g.,/graphics/pictures/images/image.jpg). I'm not a developer—could you explain this feature and its impact?

You're right that parent paths are best disabled. (Note that parent paths are enabled by default.) Parent paths refers to the ability to use a double period (i.e., ..) in the pathname to refer to a folder above the current folder so that you can move up the folder tree without knowing the folder name or where you are in the hierarchy. The security risk of parent paths is that intruders can upload and run a script to move up the folder tree. When the script reaches the root, it can move down from there into known folders that might have elevated privileges (e.g., C:\wwwroot\inetpub\scripts, which has Everyone Full Control permission by default, or C:\winnt\system32).

To locate the Enable Parent Paths option, open a Web site's Properties dialog box, click the Home Directory tab, then click Configuration to access the Application Configuration dialog box. (Note that the Configuration button is enabled only if you've created an application in the Web site. You can also create an application in this way for directories and virtual directories.) Click the App Options tab, which Figure 2 shows, to reveal the configuration choices. You can configure these settings for a virtual directory or directory as well as for a Web site.

Your developers are correct that they'll need to rework some code. However, doing so might not be as bad as they make it seem. If they're using server-side include (SSI) files, they need to change

"include file="

in the code to

"include virtual=/xxx"

with a full absolute root path. You don't need to change relative hyperlinks as long as they point to a location inside the Web site structure. Fortunately, Web site content is often located directly beneath the Web site home folder.

If you have a database or other resource outside the Web structure, your developers won't be able to use ../ or ..\ to point to it from Web pages or the global.asa file. Your developers must use an absolute full pathname with a drive letter. The Server.MapPath method won't work with ..\ or ../, either.

Your developers can use variables to construct the absolute pathname and implement relative paths in their code. One method is to use Server .MapPath in the global.asa file to get the physical path up to the Web root, then assign the resulting path to an application variable. Developers can then add this variable to the path necessary for constructing the absolute path.

For example, let's say that D:\inet pub\wwwroot\yourwebroot is the path to your Web root, but your database and upload folder don't reside in the Web root but in D:\inetpub\ wwwroot\database and D:\inetpub\ wwwroot\upload, respectively. Because you've disabled parent paths, you must reference the absolute location. To work with this setup, you assign the Web root path to a temporary variable, then create an application-level variable called PathRoot to serve as the base for your relative paths. Listing 1 shows the syntax for the necessary code. In this way, you can implement addressing outside the Web root without having to hard-code your locations. For more information about parent paths, see the Microsoft articles "Err Msg: Active Server Pages, ASP 0131 Disallowed Parent Path" (http://support.microsoft.com/support/kb/articles/q226/4/74.asp) and "AspEnable ParentPaths MetaBase Property Should Be Set to False" (http://support.microsoft.com/support/kb/articles/q184/7/17.asp). Many thanks to Carl Reiss for the answer to this question.

End of Article

Reader Comments
In this article, you have completely ignored the developer argument that the portability of relative pathnames is lost. The solution offered does not address a common coding strategy whereby regularly-used code is held in separate files and inserted into a web page (or "Active" page using ASP, CF, PHP, SHTML, etc.) using an "include" directive, or similar. These directives are executed before "active" code, and therefore cannot be referenced by variable. This is a seriously restrictive issue for a web programmer.

I think the real answer (however unpalatable to web admins) is to lock down the system so that malicious scripts simply can't work on the basis of Windows permissions alone. It means gaining a full understanding of the security issues and overriding a default Windows installation. But why should this be a problem? It appears to be "taking the easy way out" at the expense of the developer and, more importantly, the application.

I hope this is food for thought.

Alan

Alan Shanahan October 20, 2003

Security is in the best interest of both developers and sysadmins. It's also a common coding strategy among developers to connect to SQL Server with 'sa' but as we have seen with worms like Slammer, etc. it is a bad practice.

maxismclaren September 17, 2004

It is more than just being able to upload malicious scripts, though. By traversing parent directories and coupling those results and their corresponding HTML error codes/pages with known files on webserver software, an attacker can easily discern much information about your server. Once it knows exactly what you're running, they've already got one foot in the door and will be at a much better vantage point for a more successful and harder-to-detect attack. ~Michael

Anonymous User March 03, 2005 (Article Rating: )

Your article is informative but, being a programmer, I am inclined to agree with Alan. Restricting portability is completely shattering to any application.

Foe example, the last peice of software I developed used relative paths, yet the majority of my clients could not run it because they had parent paths disabled. They now HAVE to upload the application to a certain directory, which is not always possible.

I am really hoping I can find a work around for this problem.

Regards.

Anonymous User July 19, 2005 (Article Rating: )

you can workaround this problem... just use apache web server and problem fixed

the parent paths should be disabled in IIS because bad security design, apache dont have this (and many other) problems


Anonymous User August 04, 2005 (Article Rating: )

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...
IIS and Web Administration Whitepapers Best Practices for SharePoint Backup & Recovery

Meeting Compliance Objectives in SharePoint

Improve SharePoint Performance for Remote Workers
Related Events Check out our list of Free Email Newsletters!
IIS and Web Administration eBooks Web Filtering: An Assessment

Keeping Your Business Safe from Attack: Monitoring and Managing Your Network Security
Related IIS and Web Administration Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement