Matt, For what you describe to occur, your attacker has already managed to upload an ASP file to your web site!!! Do you not see the distinction here?
Enabling parent paths allows ASP to use ../ notation to break out of the web root directory and access other resources. For this to be a risk, someone actually has to upload an ASP script that would make use of this notation. And if they can already manage to upload an executable script to your web root, you are pretty much screwed. If they can upload an asp script, you can be assured that they are uploading windows asp based rootkit / mass deface tools. In that case, the only thing that will save you is properly secured NTFS permissions. Enabling parent paths does not allow an attack to enter http://www.mailpure.com/../../../../windows/system32/dns/mailpure.com.dns and download your mailpure zone file. This is not what Parent paths controls in any way! You seem to be confusing the IIS Unicode Directory Transversal Bug with Parent Paths. The two are completely different things. The failed requests that you probably see your log files are trying to exploit the Unicode Directory Transversal bug, not anything related to Parent Paths. http://www.microsoft.com/technet/security/bulletin/MS00-078.mspx - Jay ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, April 03, 2006 5:38 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.1 Is Out Jay, This is incorrect. You can traverse directories within your root using "../" with Parent Paths disabled, but if you enable it, you can go outside your root so long as the file permissions allow it. Here's a quote from the KB article that you linked to: "The Parent Paths option (the AspEnableParentPaths metabase property) permits you to use ".." in calls to functions such as MapPath by allowing paths that are relative to the current directory using the ..\notation. Setting this property to True may constitute a security risk because an include path can access critical or confidential files outside the root directory of the application." Matt Jay Sudowski - Handy Networks LLC wrote: Wrongggggggggg. Enabling parent paths doesn't allow you to actually enter ../../../../../ and transverse directories into your URL string! http://support.microsoft.com/default.aspx?scid=kb;en-us;332117 It simply allows you to use ../ in your ASP and SSI includes! Goodness gracious. PS - Please use plain text unless you have a particularly compelling reason to post in HTML. ________________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Sent: Monday, April 03, 2006 5:27 PM To: Declude.JunkMail@declude.com Subject: Re: [Declude.JunkMail] Declude 4.1 Is Out I beg to differ. IMO, Enabling Parent Paths is one of the biggest security risks for a Web server, and IIS disables them by default because of this. Most exploits require multiple configuration mistakes to exploit, and if you enable Parent Paths, it increases your likelihood of being hacked many times over. If you look at your logging of websites on your server, you will likely see entries around 200 at a time from script kiddies, most of which are seeking to exploit configurations where parent paths are enabled. The proper way to approach this would be to create a virtual directory under the website, and configure an exclusive group as having permissions for the Declude directory. Matt Jay Sudowski - Handy Networks LLC wrote: Practically speaking, the security risks related to parent paths are near zero. On scale of 0 to 100, having parent paths enabled would be a .01, assuming your NTFS permissions are tight. -Jay -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John T (Lists) Sent: Monday, April 03, 2006 5:09 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] Declude 4.1 Is Out >From the readme.html: "Parent paths must be enabled." Sorry, no they will not be enabled. That is a security risk I am not going to open up on my server. John T eServices For You "Seek, and ye shall find!" -----Original Message----- From: [EMAIL PROTECTED] [mailto:Declude.JunkMail- [EMAIL PROTECTED] On Behalf Of Jay Sudowski - Handy Networks LLC Sent: Monday, April 03, 2006 1:45 PM To: Declude.JunkMail@declude.com Subject: [Declude.JunkMail] Declude 4.1 Is Out http://www.declude.com/Articles.asp?ID=186 Aside from the web admin, are there any other fixes or feature enhancements? The release notes reference 4.0.9.4 ... Thanks! ----- Jay Sudowski // Handy Networks LLC Director of Technical Operations Providing Shared, Reseller, Semi Managed and Fully Managed Windows 2003 Hosting Solutions Tel: 877-70 HANDY x882 | Fax: 888-300-2FAX www.handynetworks.com --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.