id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
21855,"Several files are group writable, breaking suPHP–based setups",JeremyVisser,,"After upgrading to WordPress 3.4.2, I found the following files are group writable:

 * wp-admin/about.php
 * wp-admin/setup-config.php
 * wp-admin/includes/class-wp-themes-list-table.php
 * wp-admin/includes/class-wp-plugins-list-table.php
 * wp-admin/includes/meta-boxes.php
 * wp-admin/includes/update-core.php
 * wp-admin/includes/class-wp-upgrader.php
 * wp-admin/includes/class-wp-ms-themes-list-table.php
 * wp-admin/plugins.php
 * wp-admin/index.php
 * wp-admin/js/link.dev.js
 * wp-admin/js/link.js
 * wp-admin/js/customize-controls.js
 * wp-admin/js/post.dev.js
 * wp-admin/js/post.js
 * wp-admin/js/customize-controls.dev.js

An example {{{ls -l}}}:

{{{
-rw-rw-r-- 1 wordpress www-data  5473 Sep  7 08:15 /var/www/wordpress/wp-admin/index.php
}}}

This is in contrast to the majority of files:

{{{
-rw-r--r-- 1 wordpress www-data 395 Jun 14 18:14 /var/www/wordpress/index.php
}}}

This causes suPHP errors such as the following:

{{{
SoftException in Application.cpp:249: File ""/var/www/wordpress/wp-admin/index.php"" is writeable by group
Premature end of script headers: index.php
}}}

A temporary workaround is to {{{chmod g-w}}} these files on my end, but the permissions get overwritten every time an SVN update occurs.",defect (bug),closed,normal,,Filesystem,3.4.2,normal,invalid,,