Short answer: Don’t do it

Long answer: Still don’t, but here is one scenario followed through that might make you think twice (there are prob many many more):

1. If you have an file-upload control anywhere on your site, say for image uploads, and an attacker manages to compromise your security (don’t forget this does not necessarily mean breaking your site – they might just hijack someone’s session or manage to guess/steal password) they can upload a malicious script (.aspx page). The site has “modify” permissions so it can write the file to disk.

2. I see you tagged the question with .net, so imagine they upload an .aspx page with some <script runat="server">...</script> that reads the contents of the web.config file and displays them.

3. Did you put any database connection strings with passwords in clear text in your web.config file? Cos’ if you did, imagine their next step is to upload a new .aspx file that connects to those databases… they can then read your databases, delete data, change data… They probably don’t really need the username/password because they can just use your named connection strings, but that information could be useful for another attack that I haven’t thought of here.

I think you see where this scenario goes…