• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Control Panel PHP

R

rank1st

Guest
Setting up a new server and doing a security scan under 8.3, while there are several warnings only one vulnerability reported as follows:

Vulnerability pcsync-https (8443/tcp)
Synopsis :

The remote web server uses a version of PHP that is affected by
multiple flaws.

Description :

According to its banner, the version of PHP installed on the remote
host is older than 5.2.5. Such versions may be affected by various
issues, including but not limited to several buffer overflows.

See also :

http://www.php.net/releases/5_2_5.php

Solution :

Upgrade to PHP version 5.2.5 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:p/I:p/A:p)
CVE : CVE-2007-4887
BID : 26403
Nessus ID : 28181

Since there are also websites with php 5.2.5 installed and happily living on the server one must assume that the control panel is actually running an older version of php. Is is possible to upgrade or is a patch on the way?

Thanks.
 
Hello rank1st,

Thank you for the report.
It will be fixed in the next version. Please don't try to update admin's PHP manually.
There are no actual known vulnerabilities in Plesk Control Panel 8.3 with PHP 5.2.4.
 
No problem on the next version, but sooner rather than later would be great. It's not so much an issue of if the control panel is working it's the liability that arises from it. You see if I perform my server providers vulnerability check and it comes back as a potential problem and my server gets compromised this is right where they are going to point. We also like to publish to our clients that our hosting service is secure and safe, if they do the same scan using their own tools this may very well cost us some business.
 
You must log in or register to reply here.

Similar threads

A
Parallels Plesk Pannel 11.0.9 Horde webmail vulnerability?
Replies
4
Views
3K
_Alberto_
A
E
phpMyAdmin Upgrade: Security Flaw
Replies
1
Views
1K
EricVis
E
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
20K
RalphP
R
D
How do I turn off TRACK and TRACE HTTP please.
Replies
2
Views
5K
Dave-Brown
D
O
PCI compliance problem
Replies
0
Views
2K
Otakucouk
O
Back
Top