Thread: Any security risk to Images folder?

I am trying to get your "Security Best Practices" implemented toward production site and one of them is:

Write/Modify permissions to the root Images folder

http://manual.aspdotnetstorefront.co...practices.aspx

However my network admin refused to do so saying there is potential security risk giving write/modify access to Images folder. he quoted some writings from MSDN like this:

"The biggest security risk of giving the Network Service Account write permissions to folders is experienced in shared hosting or when you run multiple websites on the same server.
Basically, if you grant modify permissions then every other ASP.NET application that server is configured to run as Network Service (all by default) will also have write permissions to that folder, which could be exploited."


Now I cannot upload images through the Admin page and instead I will have to use FTP to place them into the folder.

Is there any risk in reality? if answer is NO (I agree because your software is widely used and no one reported any security holes as far as I know), could you please give me some grounds so that I can persuade him to follow your security best practices?

Thanks.

For what its worth, my network admin had the same concerns. He has allowed it for now but says he wants to figure a better way around allowing these permissions.

You shouldn't need to worry, we haven't heard any security problem or threats regarding the modify permission on the {root}/images; Furthermore, any manipulation on images (like upload, image auto-creation from a large image upload) won't really work.