An HTML form, a php file and a text file.
The form has one input box, it sends the inputted string to the PHP file using GET or POST. The PHP file writes the string to the text file using fopen 'a', fwrite and fclose and does no sanitization at all.
The text file is set to permission 777 and is in the same folder as the other files.
Are there any security concerns here? Is it possible for someone to send something using the form that will do any damage? If yes, what?
What about if the txt file is set to 666?
Depending on what the use of this file, there shouldn't be much risk involved. Just make sure the file is never executed.
This means, never eval() the content of this file, or change it into a .php or any other executable file.
However, if the content is ever to be written on a page, or viewable by the user, you will have security risks doing this.
From a web-security point of view, I do not see any problems, as long as the path of the text file is hardcoded or secured in any other way. You haven't said anything though about what happens if the file is missing or read-only (yes, it can happen, for example if the file system is mounted read-only by the administrator).
That being said, this use case is also completely useless, as the text file serves only as a data sink. A data sink that is never read from is useless. The problems may arise when you want to read from the file.
I typically use 3 ways to improve security writing to files. 1) Move file out of webroot and into some folder with restricted access like cgi-bin. The path to the file and any passwords should also be saved outside of the webroot. 2) Then you include the sensitive data by including it on your page. So if PHP parser fails people only see a variable name and no details. 3) If your are doing a post or get to the file which is doing the writing you can also check the values carefully and stip out characters, script, etc. that could cause problems.