Classic ASP parent paths are disabled by default
Classic ASP Parent Paths let developers use relative addresses that contain ".." in the paths to files or folders. For example, the following code excerpt illustrates an ASP page that maps a parent path:
<% Response.Write Server.MapPath("../example.asp") %>
In addition, the following code except illustrates an ASP page that references an included file in a folder that uses a parent path:
In several earlier versions of IIS, parent paths were enabled by default. In IIS 6.0 the default behavior changed to disable parent paths, and this was done for security and design reasons: by preventing the execution of parent paths, you are preventing the inclusion of content across security or application boundaries. By default, class ASP script error messages are not sent to the Web browser, and any attempts to use parent paths will return the following error message to a Web browser:
An error occurred on the server when processing the URL. Please contact the system administrator. If you are the system administrator, please click here to find out more about this error. (Note: The ASP script error message listed above may be customized. For more information, see the Classic ASP script errors are no longer shown in a Web browser by default topic.)
If you enable sending ASP script error messages and your classic ASP scripts attempt to map a path in a parent folder, you receive the following error message in your Web browser:
Server.MapPath() error 'ASP 0175 : 80004005' Disallowed Path Characters /test/example.asp, line 100 The '..' characters are not allowed in the Path parameter for the MapPath method.
When your classic ASP scripts attempt to include a page that uses parent paths in IIS, you receive the following error message in your Web browser:
Active Server Pages error 'ASP 0131' Disallowed Parent Path /test/example.asp, line 100 The Include file '../_fpclass/fpdblib.inc' cannot contain '..' to indicate the parent directory.
Working with User Access Control
You need to make sure that you follow the steps in this document by using an account that has full administrative permissions. This is best accomplished by using one of two methods:
- Log in to your computer by using the local administrator account.
- If you are logged in using an account that has administrative permissions but that is not the local administrator account, open all applications and all command prompt sessions by using the "Run as Administrator" option.
These above conditions are required because the User Account Control (UAC) security component in Windows Vista and Windows Server 2008 will prevent administrative access to the IIS configuration settings. For more information about UAC, see the following documentation:
Resolving Parent Paths Issues
Using Virtual Paths
As an alternative to using parent paths in your ASP code, you can use virtual paths. Virtual paths require that you enter the full folder path from the URL root of your Web site. For example:
<% Response.Write Server.MapPath("/test/example.asp") %>
Enabling ASP Parent Paths
You can enable or disable parent paths by using IIS Manager. To do so, open IIS Manager and navigate to the site or application where you want to configure parent paths, and then-double click the ASP feature.
In the list of ASP features, configure the Enable Parent Paths option.
You can also configure this setting by using the command-line tool AppCmd.exe with the following syntax:
appcmd.exe set config "Default Web Site" -section:system.webServer/asp /enableParentPaths:"False" /commit:apphost
For additional information about the options that are available for classic ASP, see the following page in the IIS configuration reference on the Microsoft IIS.net Web site:
For additional detail on parent paths in IIS, see the following page in the Microsoft Knowledge Base:
Enable Parent Paths Is Disabled by Default in IIS 6.0