Last post Jun 24, 2009 07:47 PM by Spider Master
Jun 22, 2009 08:57 AM|doitconsultants|LINK
I'm trying to override IIS and allow config file downloads. I am using IIS 6 on W2K3. I have tried using this example that is supposed to allow for all config files except the web.config to be downloaded but it doesn't work. Is there something else
I need to do?
<?xml version="1.0" encoding="utf-8" ?>
<remove verb="*" path="*.config" />
<add verb="*" path="web.config" type="System.Web.HttpForbiddenHandler" />
Jun 23, 2009 02:31 AM|sumitd|LINK
Map .config handler to aspnet_isapi.dll in IIS.
Why do you want let the user see your configuration settings? Usually .config files is used to keep configuration setting which should not be exposted to user and sometimes we keep critical information also.
Jun 24, 2009 07:47 PM|Spider Master|LINK
.config is simply a security protected masked extension for .xml
I would recommend just changing the extension to .xml
By using .config as an extension on the IIS server is telling the server hey this is for you only (IIS) the server handles this with great selfishnish and does not allow "remote access in
any way" to the extension .config
This is the same for Protected folders (App_Data, App_Code, Bin and other extensions such as .dll)
If you really want to allow permissions to the extension .config you will have to do this on the IIS server under security of
full trust. If your site is hosted I doubt you will have full trust.
The previous user is correct. I would give it days before someones bot finds a fully open config file and mess's with!!
So with out full trust there is still a solution. Connect via ftp using credentials allows you access to download the config file as is (of course this is full trust!).
Obviously you want to do this via browser and allow others to do so, how about Duplicating the file and changing the extension to .xml then initiating download?
Actually I just had another thought! The above is suited to IIS6
If you are using IIS7 you would need to define your handler in the new section
<!-- Begin REMOVABLE New Error Checking -->
<!-- End -->
<add name="ScriptModule" preCondition="managedHandler" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=18.104.22.168, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptHandlerFactory" verb="*" path="*.asmx" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=22.214.171.124, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptHandlerFactoryAppServices" verb="*" path="*_AppService.axd" preCondition="integratedMode" type="System.Web.Script.Services.ScriptHandlerFactory, System.Web.Extensions, Version=126.96.36.199, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add name="ScriptResource" preCondition="integratedMode" verb="GET,HEAD" path="ScriptResource.axd" type="System.Web.Handlers.ScriptResourceHandler, System.Web.Extensions, Version=188.8.131.52, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
Look forward to your response!