Well, everyone is likely aware of the NO INLINE code of SharePoint pages feature called Page Parser Paths. BUT did you know…ASMX files with code in them…WILL RUN!!!
All you have to do is:
- Create a web service that has code on the .asmx page
- Set the blocked file types to remove the .asmx file type
- Upload the file to a document library
- Click the file, notice the nice .NET page that gets created to allow you to call the "HelloWorld" method
- Run the "HelloWorld" method, wow…it runs!
NET NET…don't remove asp.net file types from the blocked file types of your web application. You will open your end users and developers to world of possibilties that you really don't want them to have!
I'm not sure if this is by design or not, but as a CISSP, this is not a good thing in my eyes!