I’ve read some articles about ChartImageHandler storage options, and it seems to have 3 options which I have questions about;
-
If we choose
fileoptions then image created by ms chart first stores in location we specified. I want to know if we specified the default location inC:\TempImageFilesaddress, does it have security considerations? I mean MS Chart under whichwindows useraccess this folder and write image on it? Has this a hack risk? -
If we choose
memoryImage stored in main memory, and then if we specify the optiondeleteAfterServicing=trueafter downloading to client it deleted. I want to know if we chooseImageStorageMode="UseHttpHandler"option for chart, can any hacker useChart.axdand call it multiple times and cause memory overflow? What does MS Chart do to prevent this? -
If we choose
sessionImage stored in a session, and again I want to know any hacker can useChart.axd, calling it multiple times to cause a memory overflow? If any exception during creating image, does it delete the session? After downloading to client, does it also delete the session?
Creating files on the file system will be available to other windows users with access to the machine. The files will be created by the ASP user, and as such you could restrict the folder access to just this user therefore preventing visibility to other normal level users – though system administrators will most likely have full access.
Creating the images in memory of the webserver triggering a memory overflow and therefore leaving your server vulnerable is no more insecure than any other memory consuming part of IIS. For example, if a malicious user created many many anonymous sessions on your webserver they could trigger the same memory state. Therefore I’d state that you are at very low security risk using methods 2 and 3.