"disable parent paths" apparently not taking effect on IIS6 -- iis security

Jed
8/18/2005 2:07:03 PM

I'm porting several websites from IIS5 to IIS6. On IIS5, the sites all ran
with parent paths allowed. To improve security, I plan on disabling parent
paths on the IIS6 server. To help set up the new machine, I first *enabled*
parent paths on IIS 6 by checking the "enable parent paths" box for "Web
sites" in IIS Manager.

The problem is that when I *uncheck* the "enable parent paths" box, parent
paths still seem to be allowed. Specifically, images referred to by
"../images/myimage.jpg" display fine and if I type
"http://www.mydomain.com/subdirectory/../" I get the home page.

I've checked each website in IIS Manager, and they all *say* that parent
paths are disabled. I'm very confused.

Does anyone know what's going on and how to fix it?

Thanks,

Jed
8/18/2005 8:05:07 PM

I now believe that this is not strange behavior for IIS. Apparently, "enable
parent paths" refers to traversing to directories *above* your web root. The
"../images/myimage.jpg" references will continue to work with parent paths
disabled as long as the images directory is a descendent of your web root.

I guess I don't need an answer anymore! Perhaps my question may help
someone else who is confused...

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages about iis security

iis security : "disable parent paths" apparently not taking effect on IIS6