I'm vaguely aware that for security reasons, you shouldn't set write
permissions to your root web directory. However, I have a ASP-based
CMS that is designed to write html files and folders to the root
directory.

What are the risks?

Thanks,
Iain

At minimum, it means the user identity which the ASP page runs as has
ability to write files to a directory that is web accessible.

If that directory is also allowed to execute code, it means that a
remote user can write and execute arbitrary code from that directory.

And depending on the user identity configured to execute requests in
specific directories, a remote user can now write and execute
arbitrary code of his choosing with potentially elevated user
privileges.

This is one simple way to be vulnerable to elevation of privilege
attack. Amongst many others.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//


[quoted text, click to view]