Long story short:

It is not uncommon for lazy customers to 777 EVERYTHING in a site to get a CMS like Joomla working with the minimum of effort.

It would be nice for ASL to scan for such sites, possibly by checking to see if more than X% of files/dirs in site are 777.

As an extra twist, I wonder if it would also be useful to scan for anything with a filename containing the word "config" (possibly only if it has an extension of "php" ?) that's 777 (or apache.apache and writable by apache??? That's probably not a good situation, though there may be some scripts that need it?)

Depending on your server setup (the way Apache is running - suPHP, Ruid2 or DSO) all you need is to create a crontab for daily run like this:
e.g for cPanel running Apache with suPHP or Ruid2:

1 1 * * * cd /home && find . -type f -perm 0777 -exec chmod 0644 "{}" \;
2 1 * * * cd /home && find . -type d -perm 0777 -exec chmod 0755 "{}" \;
3 1 * * * cd /home && find . -type f -perm 0666 -exec chmod 0644 "{}" \;

Its possible to do this with the HIDS and do both administrator and per user notifications by monitoring the /var/www/vhosts directory and then setting up Notify options for different domains to their respective owners.

Additionally you can use the regex field to narrow the search to specific files and send diffs of the changes to files (note, this can use a lot of space! side effect, you now have backups and rollbacks). It can also do this in real-time if your kernel supports inotify().

That could be bad though - if they run as dso some directories would need to be 777 so their sites can upload and work with files that the ftp user uploaded and vice versa. Joomla and wordpress are the two main examples that comes to mind

I understand what you're saying. Would group write work with some control panels, or are the users just so unrelated that it needs to be world writable?

The idea of alerting on 777 is an interesting idea (if its feasible, but if web apps need this to work, ZOMG is that vulnerable!), I could see maybe this being a domain user only alert? For example, they get an email warning them that their websites may have insecure permissions?

The domain user would probably not understand what the warning was about. It might work if we could define the text of the warning and maybe add a link to a website page explaining what this was all about.

A very common case Plesk end users run into is using mod_php (PHP running as user 'apache') with a web application which needs to be able to upload files (file uploads for a WordPress installation for instance). This won't work out of the box since the upload directory will be 755 and owned by the domain user and 'psacln' group by default, which does not allow user 'apache' to write files to this directory. User 'apache' isn't a member of the 'psacln' group, so setting 775 permissions won't help either.

Since end users can't change the user or group owner they have no choice but to change permissions and setting the upload directory to be world writable is the only way user 'apache' will be allowed to write files to the upload directory. AFAIK using 777 permissions is actually the only way PHP file uploads with mod_php will work in Plesk's setup without an administrator stepping in to change user or group ownership, use sticky bits or some other voodoo end users are not allowed to perform.

When a domain is running PHP via FastCGI it will work out of the box, since in that case the PHP code will be executed by the user owning the PHP file.

The WordPress file permissions documentation at http://codex.wordpress.org/Changing_File_Permissions tries its best to explain how file permissions work and why 777 is bad, but my experience is that end users feel the documentation is way too complex for them to understand, so they'll find some forum post which tells them using 777 permissions (recursively!) will solve all their problems. They try it and ta-da, it works! Some even go as far as recursively setting 777 on all files and directories in their httpdocs directory for good measure.

Agreed, any useful message will need to explain this in easily understood terms and why its important to the domain owner.

maybe it would be good to have a button inside plesk for each domain that may be entitled something like "Security Scan" in which you can offer suggestions - like set php to run as cgi/fcgi, change permissions on these folders to xxxx, set this file to be outside the web root (like config.php, etc), etc - combine this with your app scan and you can give tailored security messages to the end user for best practices based on teh app, as well as just stupid things to avoid in general. Possibly even letting them know about insecure passwords, email accounts, etc.

Let them know if they installed their own version of phpmyadmin that they are being retarded, that kind of stuff