Disallowed Path Characters
Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=24980
Printed Date: 04 April 2026 at 6:32am
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com
Topic: Disallowed Path Characters
Posted By: GrlGeek
Subject: Disallowed Path Characters
Date Posted: 10 December 2007 at 6:04pm
|
I did a search in the knowledge base, and a search on the forums, but I didn't find the phrase 'Disallowed Path Characters'. I am moving a forum from a server where the admin used the physical path (c:\websites\etc) as the strDbPathAndName to point to the location of the forum database to a hosted server where I need to use the virtual path. The database is an Access database. In the WebWiz Guide, on the 'Securing Your Microsoft Access Database' page (http://www.webwiz.net/webwizforums/kb/moving_access_database.asp), step 4 indicates that I should use ../ to move up the directory tree. However, when I defined the virtual path in database_connection.asp and then attempted to access the forum, I got the error message below:
Server.MapPath() error 'ASP 0175 : 80004005' Disallowed Path Characters /forum/database/database_connection.asp, line 87 The '..' characters are not allowed in the Path parameter for the MapPath method. If I can't use those characters, how do I reference the database outside the root of the website? Or do I have to put the database under the root directory on a hosted server? Thanks. |
Replies:
Posted By: Jono
Date Posted: 10 December 2007 at 6:22pm
| I may be wrong, but do you need to "Enable parent paths" on the web server. If so, in IIS manager, right click the web site, select properties, click the "Home Directory" tab, click the "Configuration" button, then the "Options" tab and place a tick in the "Enable parent paths" check box. |
Posted By: Jono
Date Posted: 10 December 2007 at 6:38pm
| Looks like this may be the cause, however, I note you are on a hosted environment, so you may not be able to make the change. The following blog http://www.bennadel.com/blog/153-The-Characters-Are-Not-Allowed-In-The-Path-Parameter-For-The-MapPath-Method.htm - http://www.bennadel.com/blog/153-The-Characters-Are-Not-Allowed-In-The-Path-Parameter-For-The-MapPath-Method.htm also indicates that the command Request.ServerVariables("APPL_PHYSICAL_PATH") may be of use as it gives the physical path. |
Posted By: GrlGeek
Date Posted: 10 December 2007 at 7:59pm
| Thank you very much for your reply! The site is hosted, but it is a virtual dedicated server, so I have an email out to the admin to see if this is a change he can make. In the meantime I will try the Request.ServerVariables command, though if it returns the applications path it will still not be high enough in the tree, since the app is under the site root and the database is outside it. |
Posted By: jamie.townsend
Date Posted: 10 December 2007 at 8:04pm
|
Allowing parent paths should fix this and allow you to use ../
The admin should have no problems at all doing this.
However, you really should consider upgrading to SQL as access is poo :D
|
Posted By: Jono
Date Posted: 10 December 2007 at 8:28pm
I agree with Jamie.  If you can't use parent paths, you could put the access database in a folder with a random name (perhaps even chaning it's file extension - it should work), so the database become something like "7we!rty5\asd75$r.ahgrt" under your forum folder. The APPL_PHYSICAL_PATH will give you the full path to put in the connection string. It's security by obsecurity - not brilliant, but better than nothing. The web server may not even serve a "ahgrt" type file to a client, even if the type the full path into the browser.
|
Posted By: GrlGeek
Date Posted: 10 December 2007 at 9:15pm
| Ha, yes, Access=poo. If I had my druthers the site would be using SQL on Linux, but I'm just a contractor trying to reassemble the pieces my client has left after dissolving a relationship with the person who set the site up. So, if I change the file extension, the database will still work? |
Posted By: Jono
Date Posted: 10 December 2007 at 10:39pm
| Can't guarantee it, but I can't see any reason why not. I have used DTS packages on SQL 2000 to read access databases with different extensions and as you have to specify the full path including the extension, it should do. |
Posted By: WebWiz-Bruce
Date Posted: 11 December 2007 at 11:12am
|
With Access you can often get away with change the .mdb extension to .asp The Access database would still work when connected to by the JET database driver used by Web Wiz Forums, however, because .asp files get parsed by the ASP.DLL by the web server, if a hacker tried to download the file they would just see an error message thrown by the web server and can't actually download the database. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: efscl
Date Posted: 13 December 2007 at 1:39pm
|
a quick not to parent paths I am not sure - but i read often that allowing "Enable parent paths" on IIS is an security hole. When you do he "security check" with the base line security analyzer - this comes up too. Borg and audience: Your meanings about that? |
Posted By: jamie.townsend
Date Posted: 13 December 2007 at 2:44pm
|
You're right that parent paths are best disabled. (Note that parent paths are enabled by default.) Parent paths refers to the ability to use a double period (i.e., ..) in the pathname to refer to a folder above the current folder so that you can move up the folder tree without knowing the folder name or where you are in the hierarchy. The security risk of parent paths is that intruders can upload and run a script to move up the folder tree. When the script reaches the root, it can move down from there into known folders that might have elevated privileges (e.g., C:\wwwroot\inetpub\scripts, which has Everyone Full Control permission by default, or C:\winnt\system32).
|
Posted By: GrlGeek
Date Posted: 13 December 2007 at 4:00pm
| So, should I opt for the physical path, is that more secure? And then I'd just need to have the permissions adjusted? I have a conference call with the hosting company today. |
Posted By: WebWiz-Bruce
Date Posted: 13 December 2007 at 4:24pm
|
You don't need to have parent paths enabled to use Web Wiz Forums. If you wish to place the Access database in the root folder, then the physical path would be better. However, Access can only handle a handful of users, I would suggest that you look at using either the mySQL version or better still SQL Server version, as these can handle many 1000's of simultaneous connections. ------------- https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting |
Posted By: Jono
Date Posted: 13 December 2007 at 5:52pm
|
I would recommend using the physical path. You can use the Request.ServerVariables("APPL_PHYSICAL_PATH") to find out what the physical path is (default install gives C:\Inetpub\wwwroot\). Then create a random folder name and put your access database in there with random file name and an asp extension.
As boRg says, some form of SQL server is the way forward. It may be worth considering Web Wiz to host your forum ( http://www.webwiz.net/ - http://www.webwiz.net/ ), if you have any difficulty with your current provider.
|
Posted By: GrlGeek
Date Posted: 13 December 2007 at 6:52pm
|
Thanks, y'all. I was able to get the physical path, but I was unable to adjust the permissions on the directory to allow access. GoDaddy uses something called Plesk for the admin interface, and I could see the options I needed, but they were greyed out, even though I was logged in as the server admin. Unfortunately, Web Wiz is not the only added software package I need to run, and the shopping cart has the same issues. The client is switching to a hosting account which will include assistance from the hosting company to get things set up on the virtual dedicated server, so once they get the new server configured I should be able to use the information you've been so kind to share to get things up and running.
SQL is definitely on the agenda (at least it's on MY agenda), but we will probably wait to see if the traffic warrants a switch. The forum has a fairly narrow audience, military veterans seeking civilian career skills assistance, so it may be a while before we have to worry about volume. Of course the client hopes it will be enormous, so I may be back for the SQL version yet. Thanks again for all the help! |
Posted By: GrlGeek
Date Posted: 14 December 2007 at 4:58am
| Is that the regular hosted accounts or a dedicated server? We're getting a dedicated (virtual) server, do you know what about the servers is incompatible with Web Wiz? The forum was actually "running" earlier today, in that it would display, but the permissions were not set correctly to allow me to log in, which required a write, I believe. I'd post a link but the server has already been taken down in preparation for moving to the new "assisted" account. I told the tech support during the conference call what I was trying to install, he never mentioned not being able to run it. This server is supposed to be customized to our specifications, it's not one of the vanilla hosted accounts. I hope I can give you some good news in a few days, they did say it might take up to 36 hours to complete the configuration. |
Posted By: GrlGeek
Date Posted: 21 December 2007 at 3:41am
| I just wanted to thank everyone for your help. As the client had selected GoDaddy for the host, I did end up using the "security by obfuscation" suggestions, and though I know we are skating on thin (and unsupported) ice, I was able to get the forum up and running (with the wimpy Access database). I know we noobs must drive you guys batty with these things, thanks again for being so patient and helpful. |