[Mono-aspnet-list] asp.net applications allow parent directory access
durrban
admin at jonnyhost.com
Fri May 1 07:37:02 EDT 2009
Hello,
I've recently installed mod_mono and while playing around a bit I discovered
that I could view any file on the server with a simple <!--include file-->
directive. Is there a way to stop this behavior? I know in windows IIS
this is called "parent paths" and is disabled by default.
I've also disabled mod_mono and tried the same include directive using SSI
(.shtml) and it stops the activity. I believe it said that there was an
error with the directive, which is good.
I was planning on offering mod_mono to my clients but with this kind of
behavior, any client could view the passwd file, traverse users directories,
and gank any php/asp scripts stealing database passwords and all kinds of
valuable information.
Any help would be appreciated.
Thanks,
Jonathan
--
View this message in context: http://www.nabble.com/asp.net-applications-allow-parent-directory-access-tp23331820p23331820.html
Sent from the Mono - ASP.NET mailing list archive at Nabble.com.
More information about the Mono-aspnet-list
mailing list