Anyway to upgrade Plesk's internal Apache version?

[codesmith]

Hi,

Trying to pass a PCI compliance test and this is the last one:

Synopsis : The remote web server is vulnerable to a cross-site scripting attack. Description :
The remote web server fails to sanitize the contents of an 'Expect' request header before using
it to generate dynamic web content. An unauthenticated remote attacker may be able to
leverage this issue to launch cross-site scripting attacks against the affected service, perhaps
through specially-crafted ShockWave (SWF) files. See also :
http://archives.neohapsis.com/archives/bugtraq/2006-05/0151.html
http://archives.neohapsis.com/archives/bugtraq/2006-05/0441.html
http://archives.neohapsis.com/archives/bugtraq/2006-07/0425.html
http://www.apache.org/dist/httpd/CHANGES_2.2
http://www.apache.org/dist/httpd/CHANGES_2.0
http://www.apache.org/dist/httpd/CHANGES_1.3
http://www-1.ibm.com/support/docview.wss?uid=swg1PK24631
http://www-1.ibm.com/support/docview.wss?uid=swg24017314 Solution: Check with the
vendor for an update to the web server. For Apache, the issue is reportedly fixed by versions
1.3.35 / 2.0.57 / 2.2.2 for IBM HTTP Server, upgrade to 6.0.2.13 / 6.1.0.1 for IBM WebSphere
Application Server, upgrade to 5.1.1.17.

Looks like Plesk's own Apache verision is 1.3.33 - any way to upgrade this to 1.3.35 or better?

Thanks

 

[IgorG]

Plesk has two Apaches - one for Plesk admin interface and one for customer's virtual hosts. Both are shipped with Plesk distributive and you can't update it without standard Plesk upgrade procedure.
BTW, I have checked and found following:

[root@plesk860 ~]# cat /usr/local/psa/version
8.6.0 RedHat el4 86080930.03
[root@plesk860 ~]# apachectl -v
Server version: Apache/2.0.52
Server built: Jun 18 2007 15:27:00
[root@plesk860 ~]# rpm -qf /usr/sbin/apachectl
httpd-2.0.52-32.ent.1.swsoft
[root@plesk860 ~]# rpm -qf /usr/local/psa/admin/bin/httpsdctl
psa-8.6.0-rhel4.build86080722.02

If you mean internal Apache for Plesk interface (httpsd), you can't update it anyway except whole Plesk update.

 

[codesmith]

Hi - yes I mean 'Apache for Plesk interface (httpsd)' - the PCI scan is failing for ports 8443 and 8880. This is what I get for

# /usr/local/psa/admin/bin/httpsd -v
Server version: Apache/1.3.33 (Unix)
Server built: Jul 22 2008 02:31:28

So what do you mean by 'whole Plesk update'? How do I do this?

Thanks.

 

[IgorG]

So what do you mean by 'whole Plesk update'? How do I do this?

Just run /usr/local/psa/admin/bin/autoinstaller and upgrade your Plesk to latest available version. Apache will be updated too.

 

[codesmith]

What version of Apache is installed for the 'Apache for Plesk interface (httpsd)' for the 'latest available version'? (Is that 9.2?)

 

[codesmith]

(And this always having to wait for moderation is completely lame... how about automatic approval for established accounts? Who/where at Parallels can we talk too about this?)

 

[IgorG]

What version of Apache is installed for the 'Apache for Plesk interface (httpsd)' for the 'latest available version'? (Is that 9.2?)

For example user's APache:

# cat /usr/local/psa/version
9.2.3 CentOS 5 92091016.19
# apachectl -v
Server version: Apache/2.2.3
Server built:** Jul 14 2009 06:02:39

And there is no httpsd now. New sw-cp-server based on very patched lighthttpd in use now for admin's Plesk interface.