Security issue with .htm pages in folders

  • Thread starter Magnus Blomberg
  • Start date
M

Magnus Blomberg

Hi there!

I am using VS 2005 beta for developing my new web application.
I have a security issue, that I don't know if it is wrong by me, an IIS6 problem or an VS beta problem.

I have a web application where the first page is public and IIS is set up with Anonymous login enabled and Integrated Windows authentication.
All other pages is placed under a folder called Protected created from VS.
My web.config looks like this (shrinked):

<system.web>
<authentication mode="Windows"/>
</system.web>
<location path="Protected">
<system.web>
<authorization>
<allow users="projdev\prospects"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

The problem is that I CAN browse all .htm pages under the folder Protected. The pages named .aspx is protected as they should.

Is it not "allowed" to use .htm pages in my app, or am I doing something wrong?

Regards Magnus
 
R

Rutger Smit

Magnus said:
Hi there!

I am using VS 2005 beta for developing my new web application.
I have a security issue, that I don't know if it is wrong by me, an IIS6
problem or an VS beta problem.

I have a web application where the first page is public and IIS is set
up with Anonymous login enabled and Integrated Windows authentication.
All other pages is placed under a folder called Protected created from VS.
My web.config looks like this (shrinked):

<system.web>
<authentication mode="Windows"/>
</system.web>
<location path="Protected">
<system.web>
<authorization>
<allow users="projdev\prospects"/>
<deny users="*"/>
</authorization>
</system.web>
</location>

The problem is that I CAN browse all .htm pages under the folder
Protected. The pages named .aspx is protected as they should.

Is it not "allowed" to use .htm pages in my app, or am I doing something
wrong?

Regards Magnus
Click to expand...

..htm and .html files are not handles by the asp(.net) parser so you can
request them without a problem.

To change this: rename the files to .aspx or let the htm(l) files being
parsed.

--

//Rutger

DoDotNet@KICKTHIS_Gmail.com
www.RutgerSmit.com
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Security issue on Windows7 1
Problem with a login script, SESSION user rights and put this together so it works with the other pages and MySQL. Code examples. 2
Issue with passing fetched data to POST form. How can I? 0
security... 0
Clarification on a Security Issue 0
validaing security using AD groups... in web.config 2
aspnet pre compilation issue with htm files results in "This is a marker file generated by the preco 1
Restrict access to Classic ASP pages in web.config 2

Members online

No members online now.
Total: 26 (members: 0, guests: 26)
Robots: 371

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,014
Latest member
BiancaFix3

Latest Threads

Top