I currently have a form that allows administrators to change basic CSS attributes on a website. I was thinking of creating a form for advanced admins that will display the entire CSS file inside a text area and allow them to edit it freely. Im not worried about the file being wiped as it can be easily restored. What i am worried about is that someone could add some code to the CSS file that could cause major damage to the web server. Is it possible to execute malicious code from a CSS file?

It can if they have access to modify. The below link describes xss and css (cross site scripting). They can redirect your background as one example http://www.acunetix.com/websitesecurity/cross-site-scripting/

If they have access to the css file they can link it to another file that contains malicious content

Potential xss vulnerability if style.css is served with the wrong content-type header.

style.css

<script>
alert(document.cookie)
</script>

attack.html

<iframe src="style.css"></iframe>

Yes, there are some XSS risks to consider. XSS doesn't attack your webserver directly with malicious code. It is an attack on other users of your system, via their own browser. Basically, it is a browser based code execution flaw, albeit limited via what JavaScript can do (quite a lot though, bar from escaping from the browser sandbox).

As you are letting them edit text presented in a CSS file, this mitigates some of the attacks that are only possible when CSS is embedded in an HTML document (such as via STYLE="" attributes and <style> tags).

However, the following risks are still present:

• The JavaScript expression directive allows JavaScript to be inserted into a CSS stylesheet. Note that this only affects Internet Explorer version 8 and earlier.
• The url directive can allow JavaScript: style URLs on Internet Explorer 6.
• Script execution via -moz-binding is available on Firefox 2 and 3. The Google Browser Security Handbook doesn't appear to have been updated since Firefox 3. This post indicates this is now fixed so that the XML file has to be readable from your own domain. XBL doesn't seem to be possible in current versions of Firefox.
• In Internet Explorer 10 and earlier HTML Components allow script execution in CSS.

Note that allowing users to alter your CSS gives them the ability to freely position text. This would enable a malicious user to mimic trusted UI elements with their CSS code and possibly being able to trick users with the newly rendered page. This very much depends on the functionality present and the intent of the rest of your site. Definitely bear this in mind.