1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Control Panel PHP

Discussion in 'Plesk for Windows - 8.x and Older' started by rank1st, Feb 13, 2008.

  1. rank1st

    rank1st Guest

    Setting up a new server and doing a security scan under 8.3, while there are several warnings only one vulnerability reported as follows:

    Vulnerability pcsync-https (8443/tcp)
    Synopsis :

    The remote web server uses a version of PHP that is affected by
    multiple flaws.

    Description :

    According to its banner, the version of PHP installed on the remote
    host is older than 5.2.5. Such versions may be affected by various
    issues, including but not limited to several buffer overflows.

    See also :


    Solution :

    Upgrade to PHP version 5.2.5 or later.

    Risk factor :

    High / CVSS Base Score : 7.5
    CVE : CVE-2007-4887
    BID : 26403
    Nessus ID : 28181

    Since there are also websites with php 5.2.5 installed and happily living on the server one must assume that the control panel is actually running an older version of php. Is is possible to upgrade or is a patch on the way?

  2. sergius

    sergius Golden Pleskian

    Nov 6, 2005
    Likes Received:
    Hello rank1st,

    Thank you for the report.
    It will be fixed in the next version. Please don't try to update admin's PHP manually.
    There are no actual known vulnerabilities in Plesk Control Panel 8.3 with PHP 5.2.4.
  3. rank1st

    rank1st Guest

    No problem on the next version, but sooner rather than later would be great. It's not so much an issue of if the control panel is working it's the liability that arises from it. You see if I perform my server providers vulnerability check and it comes back as a potential problem and my server gets compromised this is right where they are going to point. We also like to publish to our clients that our hosting service is secure and safe, if they do the same scan using their own tools this may very well cost us some business.