Microsoft KB Archive/184717

= AspEnableParentPaths MetaBase Property Should Be Set To False =

Article ID: 184717

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0

-



This article was previously published under Q184717



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
Active Server Pages (ASP) code that uses the following parent directory notation is enabled by default:



CAUSE
The AspEnableParentPaths property in the MetaBase specifies whether an ASP can allow paths relative to the current directory (using the ..\ notation). This may be a security risk.

In a security-enhanced environment, the AspEnableParentPaths property should be set to False, but the default installation of Internet Information Server version 4.0 sets it to True.

NOTE: Disabling ASP Parent Paths will only affect the execution of dynamic content on .asp pages. This does not affect the server's ability to reference static content using HTML code (whether it is called from .htm, .html or .asp files). The following line in a default.asp would properly display the image without returning an ASP 0131 error, even after AspEnableParentPaths = False:





WORKAROUND
To work around this problem, perform the following steps:


 * 1) Open the Internet Service Manager in the Microsoft Management Console.
 * 2) Right-click on the Web server in question.
 * 3) Select Properties on the pop-up menu.
 * 4) Click the Home Directory tab.
 * 5) Select Configuration in the Application Settings box.
 * 6) Click the App Options tab.
 * 7) Clear the Enable Parent Paths option.
 * 8) Click OK twice to return to the Microsoft Management Console.



STATUS
Microsoft has confirmed this to be a problem in IIS versions 4.0 and 5.0.

Keywords: kbbug kbpending KB184717

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.