Error Message: ASP 0131, Disallowed Parent Path
(Kristofer Gafvert, January 1, 2005)Parent Paths is a feature (related to ASP) that allows you to use "..\" to move upwards and access files in a parent folder. Parent Paths is considered to be dangerous because it may be used by an intruder to access critical or confidential files outside the root of the application. Since IIS 6.0 is locked down by default, Parent Paths is disabled on a default installation of IIS 6.0. This means that if your code includes (for example):
<!--#include file="../test.asp"-->
You will see this error message (if "Show Friendly HTTP Error Messages" is disabled):
Active Server Pages error 'ASP 0131'
Disallowed Parent Path
/folder1/folder2/default.asp, line 3
The Included file '../test.asp' cannot contain '..' to indicate the parent directory.
The best solution to this is to use absolute virtual paths instead of relative paths. For example:
<!--#include virtual="/includes/test.asp"-->
Another solution is to enable parent paths. This is however not recommended! To enable parent paths:
- Click Start->Programs->Administrative Tools->Internet Information Services
- Expand Web Sites and right click the web site you want to enable this for (i.e Default Web Site), click Properties
- Click the Home directory tab and click the Configuration button
- Click on the Options tab
- Check the box Enable Parent Paths
Applies to [?]
IIS 6.0
Resources
KB 332117, Enable Parent Paths Is Disabled by Default in IIS 6.0
IIS Security Center