3

I've read some articles about ChartImageHandler storage options, and it seems to have 3 options which I have questions about;

  1. If we choose file options then image created by ms chart first stores in location we specified. I want to know if we specified the default location in C:\TempImageFiles address, does it have security considerations? I mean MS Chart under which windows user access this folder and write image on it? Has this a hack risk?

  2. If we choose memory Image stored in main memory, and then if we specify the option deleteAfterServicing=true after downloading to client it deleted. I want to know if we choose ImageStorageMode="UseHttpHandler" option for chart, can any hacker use Chart.axd and call it multiple times and cause memory overflow? What does MS Chart do to prevent this?

  3. If we choose session Image stored in a session, and again I want to know any hacker can use Chart.axd, calling it multiple times to cause a memory overflow? If any exception during creating image, does it delete the session? After downloading to client, does it also delete the session?

wonea
  • 4,783
  • 17
  • 86
  • 139
Arian
  • 12,793
  • 66
  • 176
  • 300

1 Answers1

0

Creating files on the file system will be available to other windows users with access to the machine. The files will be created by the ASP user, and as such you could restrict the folder access to just this user therefore preventing visibility to other normal level users - though system administrators will most likely have full access.

Creating the images in memory of the webserver triggering a memory overflow and therefore leaving your server vulnerable is no more insecure than any other memory consuming part of IIS. For example, if a malicious user created many many anonymous sessions on your webserver they could trigger the same memory state. Therefore I'd state that you are at very low security risk using methods 2 and 3.

tonycoupland
  • 4,127
  • 1
  • 28
  • 27