ASP Constructive Tip #1

Thing · May 29, 2003, 09:23 AM

Parent Paths

A parent path is when you reference a file with something like '../util/includes.asp' . This poses a possible security risk and any IIS admin with a clue will have parent paths disabled. Instead, make an absolute reference from your web root such as '/directory/util/includes.asp' .

Trying to use parent paths on a server with it disabled will return an error such as

Code Select

Active Server Pages error 'ASP 0131' 

Disallowed Parent Path 

/maint/maint_includes.asp, line 10 

The Include file '../util/includes.asp' cannot contain '..' to indicate the parent directory.

Yoni · May 29, 2003, 09:45 AM

Please explain to those of us with less ASP experience how parent paths can pose a security risk?

Thing · May 29, 2003, 10:56 AM

The danger is that an evil programmer could upload and execute a script which could traverse up and down the directory tree, accessing files that they have no business accessing.

IIS 5 by default has parent paths enabled. The admin must purposefully turn it off.

Grok · May 29, 2003, 11:54 AM

IISLOCKD.EXE fortunately turns it off for most admins with enough clue to run the utility.

Kp · May 29, 2003, 12:35 PM

Quote from: Thing on May 29, 2003, 10:56 AM
The danger is that an evil programmer could upload and execute a script which could traverse up and down the directory tree, accessing files that they have no business accessing.

So the danger is present only when the ASP writer is untrustworthy or fails to validate input from the user, correct? There is nothing inherently insecure in them if the writer disallows the user specifying directories and the writer can be trusted not to go poking about?

Thing · May 29, 2003, 12:46 PM

Quote from: Grok on May 29, 2003, 11:54 AM
IISLOCKD.EXE fortunately turns it off for most admins with enough clue to run the utility.

IISLOCKD.EXE is awesome but I don't think it disables parent paths.

QuoteThere is nothing inherently insecure in them if the writer disallows the user specifying directories and the writer can be trusted not to go poking about?

Even if you have trustworthy, competent users and programmers, the vulnerability is still there and needs to be resolved.

Adron · May 29, 2003, 03:25 PM

IIS is weird. I would normally have assumed that if you let a programmer upload and run ASP code on your server, then he can access all the files that the user you run his code as is allowed to access.

That's the way I think of things like our forum software - the programmer codes to prevent visitors of the site from getting access to things, but there's no system to prevent the programmer from accessing things if he wants to (or makes a bug to).

Apparently there is something to stop programmers from doing that... Do you do something special to prevent him from running arbitrary code on the server? What about all the ocxes and things he could CreateObject - say that he were to use the mail sending ocx and attach c:\<insert file outside tree here>?

I personally thought that parent paths had to do with accessing things outside the defined site using an url starting with a .. - allowing you to access c:\autoexec.bat by asking the site c:\inetpub\wwwroot for the url ../../autoexec.bat

Thing · May 30, 2003, 08:11 AM

/edit/I took this off because I'm doing something else with that IP address now.