Microsoft KB Archive/821128

= Application Center 2000 admin site requires that parent paths be enabled =

Article ID: 821128

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Application Center 2000 Standard Edition
 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 6.0

-



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
When you use the Application Center 2000 administrator site in Internet Information Services (IIS), you may receive the following error message from Microsoft Management Console (MMC):

ASP error 0131

The include file  cannot contain '..' to indicate the parent directory. / /, line



CAUSE
This error occurs if the Parent Paths option is disabled on the Application Center 2000 administrator site in IIS.



RESOLUTION
You can use the Parent Paths option to use the double-dot notation (&quot;..&quot;) in calls to functions such as MapPath. By default, this option is enabled.

To enable the Parent Paths option, follow these steps:
 * 1) Right-click the root of the Web site, and then click Properties.
 * 2) Click the Home Directory tab, and then click Configuration.
 * 3) Click the Application Options tab, and then click to select the Enable Parent Paths check box.



WORKAROUND
If you are concerned with enabling parent paths, work around this issue by moving the Application Center 2000 Administrative site to a drive that contains no sensitive information or executable programs.



STATUS
Microsoft has confirmed that this is a problem in Application Center 2000.



MORE INFORMATION
The following Microsoft sources recommend that you disable parent paths in IIS version 4 and IIS version 5 to help improve security:  Knowledge Base article

184717 AspEnableParentPaths MetaBase property should be set to False

states:

&quot;In a secure environment, the AspEnableParentPaths property should be set to False....&quot;

 Secure Internet Information Services 5 Checklist

http://technet.microsoft.com/en-us/windowsserver/2000/bb735395.aspx states:

&quot;The Parent Paths option allows you to use '..' in calls to functions such as MapPath. By default, this option is enabled, and you should disable it.&quot;

 Running Microsoft Internet Information Server, chapter 4, page 77, MS Press states:

&quot;Checking the Enable Parent Paths option allows scripts to access files in parent directories using the double-dot (..) notation (for instance something like ..\scripts\fdisk_server_drive.asp). If you enable parent directories, you should not set execute permission on them because it can provide a means for a script to execute an unauthorized program.&quot;

Unfortunately, this is an option only if you have rooted your Web content hierarchy on a drive that does not contain any executables that have to be accessible to your Web applications. The Internet Data Center Prescriptive Architecture Guide II, Chap 11, &quot;Implementing Security Policy under Securing an IIS 5.0 Web Server&quot; states:

&quot;4. Disable parent paths.&quot;

 The following Application Center 2000 documentation states:

&quot;Parent paths allow you to use '..' in calls to MapPath and others. By default, this option is enabled. However, you should disable it.&quot;

Disable Parent Paths

http://technet.microsoft.com/en-us/library/bb687363.aspx

</li></ul>

If you disable Parent Paths, errors occur in Application Center 2000 MMC, as noted in the following references: <ul> Knowledge Base article

288309 Disabling parent paths breaks user interface

</li> The Microsoft Secure Internet Information Services 5 Checklist (mentioned earlier in this article), recommends that you disable parent paths. However, if you disable Parent Paths on the Application Center 2000 administrator site in IIS, you receive the error that is mentioned in &quot;Symptoms&quot;.</li></ul>

Internet Information Services 6.0
Although you can enable parent paths on a &quot;per VrPath&quot; basis in the config store (to make configuring your security settings less of an issue), Microsoft does not recommend this method. Microsoft also does not recommend that you set Disable Parent Path at the VrPath level.

<div class="references_section">