• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

be careful! serious possible bug

sebgonzes

Silver Pleskian
We have found what appear an serious bug with apache mpm-event (Centos7 with plesk 12.5 MU21)...
If apache is configurated as this, the php5 case is disabled and can't be activated. Well, if you configurate an domain with nginx + php-fpm, you access to http://www.domain.com and all work, in the next time, try to change the url with http://www.domain.com:7080 (apache port) and... php file are downloaded (work also with wp-config.php for exemple) !

Can anyone try it in some other plesk 12.5 server?

If you configure apache with prefork, you can check the php5 checkbox, and problem not appear....
 
I don't have that problem but I also have my firewall configured to block all ports expect the ports that are actually being used so port 7080 is blocked by IPTables. It's always good practice to drop packets going to unused ports too so you can avoid issues like that. (btw I'm using Plesk's Firewall so manage my firewall rules too)
 
I don't have that problem but I also have my firewall configured to block all ports expect the ports that are actually being used so port 7080 is blocked by IPTables.
I enabled the virtuozzo container firewall with a "deny-all" policy. I had to allow input destination ports 7080-7081 to get the web server working.
Should those ports be allowed to "any" or would just 127.0.0.1 work?
 
Well, in our case we can't block this port because we discover the bug in an complex website, that require nginx + php-fpm with specific rewrite rules for the principal website, but also have 2 wordpress in subfolder, that we redirect to apache and 7080 port with our proper .htaccess.
Can someone reproduce the problem? I think, if it's not a config error in our case (I don't think so), it's very critical things... an hacker can obtain any php files....
 
I already have an open ticket for this, mpm-event and no mod_php. Tried to use the Alias function of apache, which doesn't work at all, .php files are downloaded. If you re-enable mod_php, this works.
 
Meanwhile i found out for myself, but also the ticket cleared some things up. As per default in Plesk 12.5 (fresh install) mod_php is disabled and can only be re-enabled if you change to MPM to Prefork. As per default mod_php is disabled you have to configure a php-handler yourself, in the vhost.conf for example. Since this information is only found in a KB Article from odin, i asked the plesk team to include this into the admin documentation and maybe have a hint in the gui when configuring anything php-related that is outside of the normal document root. Hopefully they will do this. I even would prefer adding an automatic php-handler if using php outside of document root.
 
Back
Top