The permissions bug is fixed – it was due to a line in pvlib.php which was setting the umask to 0111 without consulting the configuration. I’ve changed it to 0133 which is safer.
This seems like an awful security hole which exists in every unmodified install of pivot out there (well versions 1.40.6 and 1.40.7 at least), as anyone with an account on your server can write to any of your posts!
Either that or I’ve missed the point and it’s meant to be like that, and is actually perfectly safe for reasons I’m not seeing.
In response to my query, the pivot developers have released a patch to fix this bug. It’s quite worrying that there are thousands of blogs out there with php files that can be written to by anyone who shares the server they’re hosted on!
It was probably a one-off fubar, but I’ll be making daily backups of my freeshell account just in case!
Idris (URL) - 01 04 09 - 20:53