[Mono-aspnet-list] asp.net applications allow parent directory access

durrban admin at jonnyhost.com
Fri May 1 07:37:02 EDT 2009


I've recently installed mod_mono and while playing around a bit I discovered
that I could view any file on the server with a simple <!--include file-->
directive.  Is there a way to stop this behavior?  I know in windows IIS
this is called "parent paths" and is disabled by default.

I've also disabled mod_mono and tried the same include directive using SSI
(.shtml) and it stops the activity.  I believe it said that there was an
error with the directive, which is good.

I was planning on offering mod_mono to my clients but with this kind of
behavior, any client could view the passwd file, traverse users directories,
and gank any php/asp scripts stealing database passwords and all kinds of
valuable information.

Any help would be appreciated.

View this message in context: http://www.nabble.com/asp.net-applications-allow-parent-directory-access-tp23331820p23331820.html
Sent from the Mono - ASP.NET mailing list archive at Nabble.com.

More information about the Mono-aspnet-list mailing list