be careful! serious possible bug

[sebgonzes]

We have found what appear an serious bug with apache mpm-event (Centos7 with plesk 12.5 MU21)...
If apache is configurated as this, the php5 case is disabled and can't be activated. Well, if you configurate an domain with nginx + php-fpm, you access to http://www.domain.com and all work, in the next time, try to change the url with http://www.domain.com:7080 (apache port) and... php file are downloaded (work also with wp-config.php for exemple) !

Can anyone try it in some other plesk 12.5 server?

If you configure apache with prefork, you can check the php5 checkbox, and problem not appear....

 

[scsa20]

I don't have that problem but I also have my firewall configured to block all ports expect the ports that are actually being used so port 7080 is blocked by IPTables. It's always good practice to drop packets going to unused ports too so you can avoid issues like that. (btw I'm using Plesk's Firewall so manage my firewall rules too)

 

[G J Piper]

I don't have that problem but I also have my firewall configured to block all ports expect the ports that are actually being used so port 7080 is blocked by IPTables.

I enabled the virtuozzo container firewall with a "deny-all" policy. I had to allow input destination ports 7080-7081 to get the web server working.
Should those ports be allowed to "any" or would just 127.0.0.1 work?

 

[sebgonzes]

Well, in our case we can't block this port because we discover the bug in an complex website, that require nginx + php-fpm with specific rewrite rules for the principal website, but also have 2 wordpress in subfolder, that we redirect to apache and 7080 port with our proper .htaccess.
Can someone reproduce the problem? I think, if it's not a config error in our case (I don't think so), it's very critical things... an hacker can obtain any php files....

 

[neutron]

I already have an open ticket for this, mpm-event and no mod_php. Tried to use the Alias function of apache, which doesn't work at all, .php files are downloaded. If you re-enable mod_php, this works.

 

[sebgonzes]

Do you have any answer about your ticket? there is any ID of bugs?

 

[neutron]

Meanwhile i found out for myself, but also the ticket cleared some things up. As per default in Plesk 12.5 (fresh install) mod_php is disabled and can only be re-enabled if you change to MPM to Prefork. As per default mod_php is disabled you have to configure a php-handler yourself, in the vhost.conf for example. Since this information is only found in a KB Article from odin, i asked the plesk team to include this into the admin documentation and maybe have a hint in the gui when configuring anything php-related that is outside of the normal document root. Hopefully they will do this. I even would prefer adding an automatic php-handler if using php outside of document root.