"news.microsoft.com" <me@here.com> wrote in message
news:Oqxjyh3uEHA.3376@TK2MSFTNGP12.phx.gbl...
> If I've enabled Parent Paths (PP) in IIS, but have installed the URL
> Filter
> and disallowed ".." and "../" within links, am I covered from the
> vulnerabilities of PP's?
>
> This allows me to use PP's in #Include statements, but doesn't allow
> visitors to use PP's in their links to access directories on my server.
>
> Is this correct?
>
> TIA
>
>

"Jason Brown [MSFT]" <i-brjaso@online.microsoft.com> wrote in message
news:%23yysoe8uEHA.3200@TK2MSFTNGP14.phx.gbl...
> Yes, unless a malicious user is somehow able to upload a .asp or other
> active file to the server - they could then in theory do just what you're
> doing and use parent paths server-side.
>
> This kind of vulnerability is more common than you may think - if a user
can
> upload a file to a web-viewable directory which contains script, then a
URL
> filter will do no good at all. Then again if you are vulnerable to that
one,
> then disabling PPs server-side is the least of your worries.
>
>
> --
> Jason Brown
> Microsoft GTSC, IIS
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
>
> "news.microsoft.com" <me@here.com> wrote in message
> news:Oqxjyh3uEHA.3376@TK2MSFTNGP12.phx.gbl...
> > If I've enabled Parent Paths (PP) in IIS, but have installed the URL
> > Filter
> > and disallowed ".." and "../" within links, am I covered from the
> > vulnerabilities of PP's?
> >
> > This allows me to use PP's in #Include statements, but doesn't allow
> > visitors to use PP's in their links to access directories on my server.
> >
> > Is this correct?
> >
> > TIA
> >
> >
>
>

"Mike" <me@here.com> wrote in message
news:O1tFwoPvEHA.3624@TK2MSFTNGP09.phx.gbl...
> Thanks for the response...
>
> If an upload folder is present, but the Script rights are set to 'None' on
> that folder, then this vulnerability should be covered, right?
>
> i.e. They may indeed be able to upload an asp file to your upload folder,
> but won't be able to run it.
>
> Thanks,
> Mike
>
>
> "Jason Brown [MSFT]" <i-brjaso@online.microsoft.com> wrote in message
> news:%23yysoe8uEHA.3200@TK2MSFTNGP14.phx.gbl...
>> Yes, unless a malicious user is somehow able to upload a .asp or other
>> active file to the server - they could then in theory do just what you're
>> doing and use parent paths server-side.
>>
>> This kind of vulnerability is more common than you may think - if a user
> can
>> upload a file to a web-viewable directory which contains script, then a
> URL
>> filter will do no good at all. Then again if you are vulnerable to that
> one,
>> then disabling PPs server-side is the least of your worries.
>>
>>
>> --
>> Jason Brown
>> Microsoft GTSC, IIS
>>
>> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>>
>>
>> "news.microsoft.com" <me@here.com> wrote in message
>> news:Oqxjyh3uEHA.3376@TK2MSFTNGP12.phx.gbl...
>> > If I've enabled Parent Paths (PP) in IIS, but have installed the URL
>> > Filter
>> > and disallowed ".." and "../" within links, am I covered from the
>> > vulnerabilities of PP's?
>> >
>> > This allows me to use PP's in #Include statements, but doesn't allow
>> > visitors to use PP's in their links to access directories on my server.
>> >
>> > Is this correct?
>> >
>> > TIA
>> >
>> >
>>
>>
>
>