Originally Posted by macooper
It really means that your site is as secure as the least secure script on the server, so you are dependent on other people using the same server keeping all their scripts upto date.
This is probably the best way to describe this.
Directories that have permissions of 777 are generally fine, if every single account on your server keeps each of their individual scripts up-to-date and free of any exploits. In practice, this is not seen very often. You would also have to have some semblance of trust with all users on the server.
A directory that is set to 777 means that any user on the server would be able to write or create files in that directory. Outside users would not be able to, unless they are exploiting a script somewhere on the server (see above paragraph).
If you are running a server and you are only hosting 1 single account on that server, then issues with 777 directories become less of an issue. This is because if you fail to keep your scripts up-to-date, you only have one person to blame, the owner of that account. That script might become exploitable, but again, that is the problem that the account owner should have taken care of.
For example, if you are running mod_php (PHP as an Apache module) then PHP will run as the Apache user (commonly nobody). If there is just one account on the server, username bob, then if that account has a gallery script that requires 777 directories and has another script that is not being kept up-to-date, then when that script is exploited, an outside user would be able to exploit that script and write to those 777 directories pertaining to the gallery script.
If PHP is running as CGI, then PHP scripts would be executed as the bob user. Directories would not need to be 777, because directories would be owned by the bob user and directories that are owned by bob and have permissions of 755 would have sufficient permissions to handle PHP uploads. However, if the second script was exploited, then that PHP exploit would be running as the bob username as well, and it would be able to write to files anywhere on the bob account.
Probably if you are running a dedicated hosting account, a server with just one account and that is it, running mod_php is your best option. Mod_php will likely give you better performance and while you will have to have 777 directories, as long as you keep the scripts on the account up-to-date (like everyone should do) then it should not pose a problem, certainly no advantage in using PHP as CGI.
If you are on a shared hosting environment, where a server hosts many accounts, then the same cannot be said. In that case, PHP as CGI is probably best. Otherwise a PHP exploit on john's account on the server could be used to write files to bob's gallery 777 directories.