473,396 Members | 1,764 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > asp.net > questions > security issue with .htm pages in folders

Join Bytes to post your question to a community of 473,396 software developers and data experts.

Security issue with .htm pages in folders

Hi there!

I am using VS 2005 beta for developing my new web application.
I have a security issue, that I don't know if it is wrong by me, an IIS6 problem or an VS beta problem.

I have a web application where the first page is public and IIS is set up with Anonymous login enabled and Integrated Windows authentication.
All other pages is placed under a folder called Protected created from VS.
My web.config looks like this (shrinked):

<system.web>
<authentication mode="Windows"/>
</system.web>
<location path="Protected">
<system.web>
<authorization>
<allow users="projdev\prospects"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

The problem is that I CAN browse all .htm pages under the folder Protected. The pages named .aspx is protected as they should.

Is it not "allowed" to use .htm pages in my app, or am I doing something wrong?

Regards Magnus

Nov 18 '05 #1
2 1337
Magnus Blomberg wrote:
Hi there!

I am using VS 2005 beta for developing my new web application.
I have a security issue, that I don't know if it is wrong by me, an IIS6
problem or an VS beta problem.

I have a web application where the first page is public and IIS is set
up with Anonymous login enabled and Integrated Windows authentication.
All other pages is placed under a folder called Protected created from VS.
My web.config looks like this (shrinked):

<system.web>
<authentication mode="Windows"/>
</system.web>
<location path="Protected">
<system.web>
<authorization>
<allow users="projdev\prospects"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

The problem is that I CAN browse all .htm pages under the folder
Protected. The pages named .aspx is protected as they should.

Is it not "allowed" to use .htm pages in my app, or am I doing something
wrong?

Regards Magnus


..htm and .html files are not handles by the asp(.net) parser so you can
request them without a problem.

To change this: rename the files to .aspx or let the htm(l) files being
parsed.

--

//Rutger

DoDotNet@KICKTHIS_Gmail.com
www.RutgerSmit.com
Nov 18 '05 #2
Ok, then I know. I will rename them.
Thanks

Regards Magnus
"Rutger Smit" <DoDotNet@KICKTHIS_Gmail.com> wrote in message
news:#S**************@TK2MSFTNGP15.phx.gbl...
Magnus Blomberg wrote:
Hi there!

I am using VS 2005 beta for developing my new web application.
I have a security issue, that I don't know if it is wrong by me, an IIS6
problem or an VS beta problem.

I have a web application where the first page is public and IIS is set
up with Anonymous login enabled and Integrated Windows authentication.
All other pages is placed under a folder called Protected created from VS. My web.config looks like this (shrinked):

<system.web>
<authentication mode="Windows"/>
</system.web>
<location path="Protected">
<system.web>
<authorization>
<allow users="projdev\prospects"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

The problem is that I CAN browse all .htm pages under the folder
Protected. The pages named .aspx is protected as they should.

Is it not "allowed" to use .htm pages in my app, or am I doing something
wrong?

Regards Magnus


.htm and .html files are not handles by the asp(.net) parser so you can
request them without a problem.

To change this: rename the files to .aspx or let the htm(l) files being
parsed.

--

//Rutger

DoDotNet@KICKTHIS_Gmail.com
www.RutgerSmit.com

Nov 18 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
ASP security model / file permissions to allow updating of a database
by: Fran Tirimo | last post by:
I am developing a small website using ASP scripts to format data retrieved from an Access database. It will run on a Windows 2003 server supporting FrontPage extensions 2002 hosted by the company...
ASP / Active Server Pages
2
Content Repository - Security
by: Champika Nirosh | last post by:
Hi All, I am developing a Content Repository to store some html pages (htmls have some embadded resources such as images) I keep all the html files and their resources away form the wwwroot,...
C# / C Sharp
1
inherited security strategy needed
by: Craig Buchanan | last post by:
I'm building an application that uses a folder and object heirarchy metaphor. I would like to be able to set access rights generically (at the folder) or specifically (for the object) for groups...
ASP.NET
0
Security / Login issue
by: Remco | last post by:
Hi, I'm working on a secure webportal, a simple representation of my folders: Root ->Users ->Admins ->Printing If somebody attempts to access a sub folder he or she will be redirected to
ASP.NET
2
Windows Credentialing Security Problem
by: Joseph Geretz | last post by:
I'm having a credentialing problem in my web application. Actually, I don't think this is an IIS security issue, since I'm able to access the page I'm requesting. However, the executing page itself...
ASP.NET
2
Creating Folders and Security
by: Vayse | last post by:
Hi On the company server, there is a folder for each client. This folder should be named after the Clients 6 digiit ID. At the moment, the folders are created manually by users. Of course, this...
Visual Basic .NET
5
markrawlingson
Application Pool issue
by: markrawlingson | last post by:
Hey guys, Having a bit of a complicated issue here so please bare with me while I explain. I'm also not a system admin and don't know a whole lot about IIS, so i apologize in advance. I...
IIS / Internet Information Server
12
security of phpsuexec
by: yawnmoth | last post by:
A particular web hosting company decided to install phpsuexec on all their webservers, citing security considerations. My question is... is it really more secure? Without phpsuexec, if a PHP...
PHP
9
Security concerns...
by: transpar3nt | last post by:
Hello all, first time poster, long time reader. I have been studying PHP and web development for a while now but have never taken on a paid project with it until now. I have been asked by a...
PHP
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!