It appears the Header Tags files are being flagged from our server because they use the base64_decode function, a function which is used VERY often by exploit scripts to hide what the file is doing. Since your instructions ask for 777 permissions on files, this makes apache vulnerable.
From our data center regarding this contribution:
When you execute PHP code, it runs as a user, just like every other program in
Linux. Because you are running your PHP as DSO, it runs as a part of Apache,
and runs as the same user.
Giving your files 777 permissions gives everyone the ability to read, write,
and execute the file. In particular for your situation, this gives Apache and
PHP both the ability to read and write.
PHP generally is not an issue - the code had to be on your server to execute,
so people from the outside cannot just upload PHP code through anything in PHP
unless something is written to allow this. Apache is an issue, anyone can try
to put a file on your server by using a http command to send it to the server,
and if Apache has write permissions to that directory, Apache will save it on
the server. If the file was a PHP file, and then someone visits the location
of that file, they are now running code on your server and can do quite a bit.
777 permissions are bad. If the author mentions that this plugin needs them, I
would recommend finding another plugin. While this plugin may not be
malicious, it opens dangerous doors.
Any suggestions?