locked
Override IIS and allow *.config file downloads RRS feed

  • Question

  • User-1385650446 posted

    Hi,

     I'm trying to override IIS and allow config file downloads.  I am using IIS 6 on W2K3.   I have tried using this example that is supposed to allow for all config files except the web.config to be downloaded but it doesn't work.  Is there something else I need to do?

    <?xml version="1.0" encoding="utf-8" ?>
    <configuration>
    <system.web>
            <httpHandlers>
                <remove verb="*" path="*.config" />
    <add verb="*" path="web.config" type="System.Web.HttpForbiddenHandler" />
               
            </httpHandlers>
    </system.web>
    </configuration>

    Thanks,

    Mike

    Monday, June 22, 2009 8:57 AM

Answers

  • User854688209 posted

    Map .config handler to aspnet_isapi.dll in IIS.

    Why do you want let the user see your configuration settings? Usually .config files is used to keep configuration setting which should not be exposted to user and sometimes we keep critical information also.

     I assure you, if site is hosted in internet and some critical information is there, it will be compromised in a week.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 23, 2009 2:31 AM
  • User-122480877 posted

    .config is simply a security protected masked extension for .xml

    I would recommend just changing the extension to .xml

    By using .config as an extension on the IIS server is telling the server hey this is for you only (IIS) the server handles this with great selfishnish and does not allow "remote access in any way" to the extension .config

    This is the same for Protected folders (App_Data, App_Code, Bin and other extensions such as .dll)

    If you really want to allow permissions to the extension .config you will have to do this on the IIS server under security of full trust. If your site is hosted I doubt you will have full trust.

    The previous user is correct. I would give it days before someones bot finds a fully open config file and mess's with!!

    So with out full trust there is still a solution. Connect via ftp using credentials allows you access to download the config file as is (of course this is full trust!).

    Obviously you want to do this via browser and allow others to do so, how about Duplicating the file and changing the extension to .xml then initiating download?

    Actually I just had another thought! The above is suited to IIS6

    If you are using IIS7 you would need to define your handler in the new section

     

     <system.webServer>
        <validation validateIntegratedModeConfiguration="false"/>
        <!-- Begin REMOVABLE New Error Checking -->
        <httpErrors errorMode="Detailed"/>
        <asp scriptErrorSentToBrowser="true"/>
        <!-- End -->
        <modules>
          <remove name="ScriptModule"/>
          <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        </modules>
        <handlers>
          <remove name="WebServiceHandlerFactory-Integrated"/>
          <remove name="ScriptHandlerFactory"/>
          <remove name="ScriptHandlerFactoryAppServices"/>
          <remove name="ScriptResource"/>
          <remove name="WebServiceHandlerFactory-ISAPI-2.0"/>
          <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
          <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
          <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        </handlers>
      </system.webServer>

    Look forward to your response!

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 24, 2009 7:47 PM

All replies

  • User854688209 posted

    Map .config handler to aspnet_isapi.dll in IIS.

    Why do you want let the user see your configuration settings? Usually .config files is used to keep configuration setting which should not be exposted to user and sometimes we keep critical information also.

     I assure you, if site is hosted in internet and some critical information is there, it will be compromised in a week.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, June 23, 2009 2:31 AM
  • User-122480877 posted

    .config is simply a security protected masked extension for .xml

    I would recommend just changing the extension to .xml

    By using .config as an extension on the IIS server is telling the server hey this is for you only (IIS) the server handles this with great selfishnish and does not allow "remote access in any way" to the extension .config

    This is the same for Protected folders (App_Data, App_Code, Bin and other extensions such as .dll)

    If you really want to allow permissions to the extension .config you will have to do this on the IIS server under security of full trust. If your site is hosted I doubt you will have full trust.

    The previous user is correct. I would give it days before someones bot finds a fully open config file and mess's with!!

    So with out full trust there is still a solution. Connect via ftp using credentials allows you access to download the config file as is (of course this is full trust!).

    Obviously you want to do this via browser and allow others to do so, how about Duplicating the file and changing the extension to .xml then initiating download?

    Actually I just had another thought! The above is suited to IIS6

    If you are using IIS7 you would need to define your handler in the new section

     

     <system.webServer>
        <validation validateIntegratedModeConfiguration="false"/>
        <!-- Begin REMOVABLE New Error Checking -->
        <httpErrors errorMode="Detailed"/>
        <asp scriptErrorSentToBrowser="true"/>
        <!-- End -->
        <modules>
          <remove name="ScriptModule"/>
          <add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        </modules>
        <handlers>
          <remove name="WebServiceHandlerFactory-Integrated"/>
          <remove name="ScriptHandlerFactory"/>
          <remove name="ScriptHandlerFactoryAppServices"/>
          <remove name="ScriptResource"/>
          <remove name="WebServiceHandlerFactory-ISAPI-2.0"/>
          <add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
          <add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
          <add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
        </handlers>
      </system.webServer>

    Look forward to your response!

     

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, June 24, 2009 7:47 PM