Using PATH_INFO and PATH_TRANSLATED from CGI Applications (184320)
The information in this article applies to:
- Microsoft Internet Information Server 4.0
This article was previously published under Q184320 We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site: SYMPTOMS
CGI applications often use the HTTP variables PATH_INFO and
PATH_TRANSLATED. However, these may appear to work incorrectly in Internet
Information Server (IIS) version 4.0. These CGI environment variables
return the physical path to the file that was passed to the CGI
application as part of the GET statement. Instead, IIS returns the path to
the CGI script.
CAUSE
This is by design, for security purposes. PATH_INFO and PATH_TRANSLATED
can be used to get information about the physical makeup of the Web server
and thus be used to mount an attack against the server.
WORKAROUND
If you want to use PATH_INFO and PATH_TRANSLATED as specified by the CGI
specification, then use the AllowPathInfoForScriptMappings property. This
property can be set using the Adsutil.vbs tool or the MetaEdit.exe tool,
which comes with the Internet Information Server 4.0 Resource Kit. Using
this property, you can set a Web server to allow or disallow the use of
the variables.
| Modification Type: | Minor | Last Reviewed: | 6/22/2005 |
|---|
| Keywords: | kbpending kbprb KB184320 |
|---|
|