IIS 6.0 And ASP Security Question

[manitoba]

IIS 6.0 has a security feature where an ASP script from one virtual root cannot access the file system mapped to a different virtual root. Does anyone know how to disable this?

 

[ChrisHirst]

If you mean the ability to use ../ to access folders and files outside the webroot, you are looking to enable parent paths.

It is on the Home Directory tab -> Configuration... -> App Options -> Enable parent paths checkbox.



Chris.

Indifference will be the downfall of mankind, but who cares?

http://www.candsdesign.co.uk

A website that proves the cobblers kids adage.

http://www.cram-system.com

Nightclub counting systems

So long, and thanks for all the fish.

 

[manitoba]

Thanks Chris, but it's not parent paths that I am after. Say in IIS 6.0 you create 2 Web sites and map them to:

C:\Site1
C:\Site2

If I write an ASP script that runs in Site1, it cannot access the folder C:\Site2

File permissions on both folders are set to Full Control for Everyone.

 

[ChrisHirst]

It can't be done for pretty obvious reasons. It's one of the reasons parent paths are normally disabled. If it was easily done it would leave every IIS hosted server open to directory traversal attack by every script kiddie in the world.

you can make the FSO access the site folders directly but the paths would have to be hardcoded and the NTFS permissions would need to be set accordingly.

But scripts normally can only run in the context of the one site.

Chris.

Indifference will be the downfall of mankind, but who cares?

http://www.candsdesign.co.uk

A website that proves the cobblers kids adage.

http://www.cram-system.com

Nightclub counting systems

So long, and thanks for all the fish.