«

In classic asp you could help mitigate file traversal problems by uncheking the allow parent paths option in IIS home directory/configuration/options which disallowed the use of the ../ syntax. However this does not seem to work in asp.net, any way to enforce this? Also does anyone know a good way to avoid using the ../ syntax for links apart from hard coding the full url path

Hello,

Thank you for the post. Currently I am performing some research on this
issue, to see if there is a proper solution for ASP.NET. I will update you
as soon as possible.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Hello,

So far as I researched, this option doesn't make sense in ASP.NET. Pretty
much most of IIS settings do not affect asp.net at all. Usually, asp.net
has its own settings (eg. machine.config etc..) that you use for
configuration.

To protect problems related to this issue, we should rely on ASP.NET
security and NTFS security, to restrict user access other folders.

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)