Security warning

CTC uses the WordPress filesystem API so the permissions are set to the same settings as WordPress.

Most commercial hosts run SUExec so the filesystem is not world writable. For others CTC lets you switch between world writable and read only. If, for some reason, this is not happening, then this would be a “vulnerability.”

A “breach” implies that CTC is somehow deliberately bypassing security to retrieve restricted data.

sorry for “breach” term (my english isn’t good).
I just say what I saw. I had use this plugin in 2 distinct VPS on OVH hosts (one with Plesk and auto-install WP script, and other only Debian).
A php file with the right to write for public user, it’s …
But I don’t understand, when WP update Core or install/update plugins, I never see php file with o+w.
In CTC plugin files, we can see (includes/classes/Admin.php, lines 1081 and 1110):
$mode = 'direct' == $this->fs_method ? FALSE : 0666; why not 0664 or 0660 ?
But sorry, review isn’t the best place for Questions/Answers.

The default permission for PHP on *nix is 644. The for the vast majority of commercial web hosts running Apache on *nix with SUExec this will be the case. The WordPress filesystem API determines the permission based on a number of factors. If it determines that Apache can write to the filesystem it will use the ‘direct’ filesystem method and the default permissions. Otherwise it chooses the best filesystem method (usually FTP) and displays a login modal to get an FTP session to write the file as a privileged user.

Because CTC writes to the stylesheet via XHR requests (ajax) it sets the permission to world writable when it does not have ‘direct’ access. It then displays a notice to the user to “lock down” the permssions when finished editing. Hence the ternary conditional of false (no change) with direct acess and 666 otherwise.

640 is read only for group and no-access for world. This make it so public user can read the file.

My larger complaint has to do with posting disparaging reviews without knowing the technical details. Average users will now see this post and think there is a problem when there is not.

Average users will now see this post and think there is a problem when there is not.

You might want to make a non-technical post in this thread for those users.

Summary Explanation:

Some servers require the user to provide FTP credentials to install themes and plugins and make changes to files, but the majority are set in a way that they do not.

In cases where they do, CTC sets some file permissions sot that they can use the editors without the prompt. This is essentialy the same as setting the uploads directory so that the user can add images without the prompt.

It also tells the user to “lock down” the theme after editing to set the files to read only.

Whether this constitues a “security breach” is a matter of dispute.