I found a little snag in the contact form 7 plugin for wordpress by Takayuki Miyoshi when using it in combination with suphp.
The plugin temporarily stores the captcha image in your uploads directory, and does so with permissions set to 0700, which makes sense security wise. When using it in combination with suphp though, the image can not be read by the webserver then, since the webserver runs under username ‘www’ (on FreeBSD 7.x at least), but any PHP scripts are run onder the username/userid of the website owner (which is not www).
Now, there’s two ways to fix this:
- Run the rest of the website (not just .php, but everything) with the username of the website owner, but that is not always an available option, doing suexec is pretty tricky at times.
- Patch the plugin so it stores ONLY the captcha image with 755 permissions. Security wise this should not have any implications what so ever.
I used option two:
captcha/captcha.php line: 78 (after imagedestroy($im); )
chmod($this->tmp_dir . $filename,octdec(755));