I believe my hosting service recently changed their setup so that scripts are all run with the user's ID rather than the webserver/nobody ID, so that's good, right? I guess I can check by setting that folder to 644 and trying to create a post...

Doesn't solve the problem for anyone else though. Thanks for the info.

Anyone care to boil security and taint issues down to "if you're doing any of the following things, you need to worry..." kind of thing?
--

($_='jjjuuusssttt annootthhrer
     pppeeerrrlll  haaaccckkeer')=~y/a-z//s;print;
[download]