AspEnableParentPaths MetaBase Property Should Be Set To False

ID: Q184717

The information in this article applies to:
  • Microsoft Internet Information Server version 4.0

SYMPTOMS

Active Server Pages (ASP) code that uses the following parent directory notation is enabled by default:


<!-- #include file="..\default.htm"-->


CAUSE

The AspEnableParentPaths property in the MetaBase specifies whether an ASP can allow paths relative to the current directory (using the ..\ notation). This may be a security risk.

In a secure environment, the AspEnableParentPaths property should be set to False, but the default installation of Internet Information Server version 4.0 sets it to True.


WORKAROUND

To work around this problem, perform the following steps:

  1. Open the Internet Service Manager in the Microsoft Management Console.


  2. Right-click on the Web server in question.


  3. Select Properties on the pop-up menu.


  4. Click the Home Directory tab.


  5. Select Configuration in the Application Settings box.


  6. Click the App Options tab.


  7. Clear the Enable Parent Paths option.


  8. Click OK twice to return to the Microsoft Management Console.



STATUS

Microsoft has confirmed this to be a problem in Internet Information Server version 4.0.

Additional query words:

Keywords :
Version : winnt:4.0
Platform : winnt
Issue type : kbbug


Last Reviewed: December 3, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.