[转载]AspEnableParentPaths MetaBase Property Should Be Set To False

信息来源：http://support.microsoft.com/kb/q184717/

On this page
SYMPTOMS
CAUSE
WORKAROUND
STATUS
APPLIES TO

SYMPTOMS
Active Server Pages (ASP) code that uses the following parent directory notation is enabled by default:
<!-- #include file="..\default.htm"-->
               
Back to the top

CAUSE
The AspEnableParentPaths property in the MetaBase specifies whether an ASP can allow paths relative to the current directory (using the ..\ notation). This may be a security risk.

In a security-enhanced environment, the AspEnableParentPaths property should be set to False, but the default installation of Internet Information Server version 4.0 sets it to True.

NOTE: Disabling ASP Parent Paths will only affect the execution of dynamic content on .asp pages. This does not affect the server&#39;s ability to reference static content using HTML code (whether it is called from .htm, .html or .asp files). The following line in a default.asp would properly display the image without returning an ASP 0131 error, even after AspEnableParentPaths = False:
<img src="../images/logo.jpg">
Back to the top

WORKAROUND
To work around this problem, perform the following steps:
1. Open the Internet Service Manager in the Microsoft Management Console.  
2. Right-click on the Web server in question.  
3. Select Properties on the pop-up menu.  
4. Click the Home Directory tab.  
5. Select Configuration in the Application Settings box.  
6. Click the App Options tab.  
7. Clear the Enable Parent Paths option.  
8. Click OK twice to return to the Microsoft Management Console.  

Back to the top

STATUS
Microsoft has confirmed this to be a problem in IIS versions 4.0 and 5.0.