Application Center 2000 admin site requires that parent paths be enabled (821128)


The information in this article applies to:

  • Microsoft Application Center 2000
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services version 6.0
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SYMPTOMS

When you use the Application Center 2000 administrator site in Internet Information Services (IIS), you may receive the following error message from Microsoft Management Console (MMC):
ASP error 0131
The include file %filename.ext% cannot contain '..' to indicate the parent directory. /%path%/%filename.ext%, line %number%

CAUSE

This error occurs if the Parent Paths option is disabled on the Application Center 2000 administrator site in IIS.

RESOLUTION

You can use the Parent Paths option to use the double-dot notation ("..") in calls to functions such as MapPath. By default, this option is enabled.

To enable the Parent Paths option, follow these steps:
  1. Right-click the root of the Web site, and then click Properties.
  2. Click the Home Directory tab, and then click Configuration.
  3. Click the Application Options tab, and then click to select the Enable Parent Paths check box.

WORKAROUND

If you are concerned with enabling parent paths, work around this issue by moving the Application Center 2000 Administrative site to a drive that contains no sensitive information or executable programs.

STATUS

Microsoft has confirmed that this is a problem in Application Center 2000.

MORE INFORMATION

The following Microsoft sources recommend that you disable parent paths in IIS version 4 and IIS version 5 to help improve security:
  • Knowledge Base article

    184717 AspEnableParentPaths MetaBase property should be set to False

    states:

    "In a secure environment, the AspEnableParentPaths property should be set to False...."

  • Secure Internet Information Services 5 Checklist
    http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/iis/tips/iis5chk.mspx states:

    "The Parent Paths option allows you to use '..' in calls to functions such as MapPath. By default, this option is enabled, and you should disable it."

  • Running Microsoft Internet Information Server, chapter 4, page 77, MS Press states:

    "Checking the Enable Parent Paths option allows scripts to access files in parent directories using the double-dot (..) notation (for instance something like ..\scripts\fdisk_server_drive.asp). If you enable parent directories, you should not set execute permission on them because it can provide a means for a script to execute an unauthorized program."

    Unfortunately, this is an option only if you have rooted your Web content hierarchy on a drive that does not contain any executables that have to be accessible to your Web applications.
  • The Internet Data Center Prescriptive Architecture Guide II, Chap 11, "Implementing Security Policy under Securing an IIS 5.0 Web Server" states:

    "4. Disable parent paths."

  • The following Application Center 2000 documentation states:

    "Parent paths allow you to use '..' in calls to MapPath and others. By default, this option is enabled. However, you should disable it."

    Disable Parent Paths
    http://www.microsoft.com/technet/prodtechnol/acs/proddocs/accrsc_iisdpp.mspx

If you disable Parent Paths, errors occur in Application Center 2000 MMC, as noted in the following references:
  • Knowledge Base article

    288309 Disabling parent paths breaks user interface

  • The Microsoft Secure Internet Information Services 5 Checklist (mentioned earlier in this article), recommends that you disable parent paths. However, if you disable Parent Paths on the Application Center 2000 administrator site in IIS, you receive the error that is mentioned in "Symptoms".

Internet Information Services 6.0

Although you can enable parent paths on a "per VrPath" basis in the config store (to make configuring your security settings less of an issue), Microsoft does not recommend this method. Microsoft also does not recommend that you set Disable Parent Path at the VrPath level.

REFERENCES

For more information about disabling parent paths, click the following article number to view the article in the Microsoft Knowledge Base:

288309 Disabling parent paths breaks user interface

Modification Type:MajorLast Reviewed:11/16/2005
Keywords:kbprb KB821128 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.