PDA

View Full Version : Problem with AJAX Example



Joe Coley
23-Apr-2007, 06:20 AM
I just downloaded and installed the AJAX beta. When trying to run it I get
the attached error.

The one thing I did other than install defaults was to use a different
directory name.

Ideas??

Anders Ohrt
23-Apr-2007, 06:49 AM
>I just downloaded and installed the AJAX beta. When trying to run it I get
> the attached error.
>
> The one thing I did other than install defaults was to use a different
> directory name.

You need to enable "parent path" in IIS (see
http://support.microsoft.com/kb/332117 for more info). This is a security
risk and I've been meaning to ask DAE about it, but forgot.

// Anders

Joe Coley
23-Apr-2007, 08:59 AM
Thank you Anders -- that took care of the "situation".

Joe

"Anders Öhrt" <Anders.Ohrt@berendsen.se> wrote in message
news:A84B01ZhHHA.5596@dacmail.dataaccess.com...
>
> >I just downloaded and installed the AJAX beta. When trying to run it I
get
> > the attached error.
> >
> > The one thing I did other than install defaults was to use a different
> > directory name.
>
> You need to enable "parent path" in IIS (see
> http://support.microsoft.com/kb/332117 for more info). This is a security
> risk and I've been meaning to ask DAE about it, but forgot.
>
> // Anders
>
>

Edwin van der Velden
24-Apr-2007, 04:39 AM
Currently the file head.inc contains

<!-- #include File="../VdfAjaxLib/1.0/includes.inc.asp" -->

Because of the use of relative pathing to the parent path it needs to have
parent path enabled set.
I think accessing parent paths like this can give access to files outside of
the folders you're supposed to be restricted to woudl would explain the
security risk part, although I think this is only really a security risk in
the case a developer uses the wrong pathing on the wrong place. (correct me
if I'm wrong about this)

It should however be possible to include the file without enabling parent
path, like:

<!-- #Include Virtual="AJAXOrderEntry/VdfAjaxLib/1.0/includes.inc.asp" -->
note: use Virtual= instead of File=

This however requires you to include the virtual directory in the path name
and is somewhat less flexible, especially when used as example that might be
used by people as a base to start their own application or in development
situations where de virtual direcory names might be different or changed.

Another possibilty which I have not tested but that I think should work is
simply moving the head.inc file to your apphtml folder so you can access the
include file like:
<!-- #include FILE="./VdfAjaxLib/1.0/includes.inc.asp" -->
I don't think it should have any problems with that as you're not trying to
access any parent paths.

-Edwin



"Anders Öhrt" <Anders.Ohrt@berendsen.se> wrote in message
news:A84B01ZhHHA.5596@dacmail.dataaccess.com...
>
>>I just downloaded and installed the AJAX beta. When trying to run it I
>>get
>> the attached error.
>>
>> The one thing I did other than install defaults was to use a different
>> directory name.
>
> You need to enable "parent path" in IIS (see
> http://support.microsoft.com/kb/332117 for more info). This is a security
> risk and I've been meaning to ask DAE about it, but forgot.
>
> // Anders
>

wila
24-Apr-2007, 04:54 AM
Edwin,

Edwin van der Velden wrote:
> Currently the file head.inc contains
>
> <!-- #include File="../VdfAjaxLib/1.0/includes.inc.asp" -->
>
> Because of the use of relative pathing to the parent path it needs to have
> parent path enabled set.
> I think accessing parent paths like this can give access to files outside of
> the folders you're supposed to be restricted to woudl would explain the
> security risk part, although I think this is only really a security risk in
> the case a developer uses the wrong pathing on the wrong place. (correct me
> if I'm wrong about this)

[wil] You're wrong, this opens a HUGE hole. It also means that ANY
visitor of your website can use this in his communication to the server.
A popular example would be something like:
"..\..\..\..\..\..\..\..\WINDOWS\SYSTEM32\CMD.EXE"
which would try to get a remote shell on the server.
Note that if you supply too many of those "..\" it doesn't matter as you
can't get lower as the root drive, so this tactic works nicely.

Remember on the internet you cannot trust the reply to only be what you
expect.

--
Wil


>
> It should however be possible to include the file without enabling parent
> path, like:
>
> <!-- #Include Virtual="AJAXOrderEntry/VdfAjaxLib/1.0/includes.inc.asp" -->
> note: use Virtual= instead of File=
>
> This however requires you to include the virtual directory in the path name
> and is somewhat less flexible, especially when used as example that might be
> used by people as a base to start their own application or in development
> situations where de virtual direcory names might be different or changed.
>
> Another possibilty which I have not tested but that I think should work is
> simply moving the head.inc file to your apphtml folder so you can access the
> include file like:
> <!-- #include FILE="./VdfAjaxLib/1.0/includes.inc.asp" -->
> I don't think it should have any problems with that as you're not trying to
> access any parent paths.
>
> -Edwin
>
>
>
> "Anders Öhrt" <Anders.Ohrt@berendsen.se> wrote in message
> news:A84B01ZhHHA.5596@dacmail.dataaccess.com...
>>> I just downloaded and installed the AJAX beta. When trying to run it I
>>> get
>>> the attached error.
>>>
>>> The one thing I did other than install defaults was to use a different
>>> directory name.
>> You need to enable "parent path" in IIS (see
>> http://support.microsoft.com/kb/332117 for more info). This is a security
>> risk and I've been meaning to ask DAE about it, but forgot.
>>
>> // Anders
>>
>
>