Control Panel PHP

[rank1st]

Setting up a new server and doing a security scan under 8.3, while there are several warnings only one vulnerability reported as follows:

Vulnerability pcsync-https (8443/tcp)
Synopsis :

The remote web server uses a version of PHP that is affected by
multiple flaws.

Description :

According to its banner, the version of PHP installed on the remote
host is older than 5.2.5. Such versions may be affected by various
issues, including but not limited to several buffer overflows.

See also :

http://www.php.net/releases/5_2_5.php

Solution :

Upgrade to PHP version 5.2.5 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C/I/A)
CVE : CVE-2007-4887
BID : 26403
Nessus ID : 28181

Since there are also websites with php 5.2.5 installed and happily living on the server one must assume that the control panel is actually running an older version of php. Is is possible to upgrade or is a patch on the way?

Thanks.

 

[sergius]

Hello rank1st,

Thank you for the report.
It will be fixed in the next version. Please don't try to update admin's PHP manually.
There are no actual known vulnerabilities in Plesk Control Panel 8.3 with PHP 5.2.4.

 

[rank1st]

No problem on the next version, but sooner rather than later would be great. It's not so much an issue of if the control panel is working it's the liability that arises from it. You see if I perform my server providers vulnerability check and it comes back as a potential problem and my server gets compromised this is right where they are going to point. We also like to publish to our clients that our hosting service is secure and safe, if they do the same scan using their own tools this may very well cost us some business.