• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Control Panel PHP

R

rank1st

Guest
Setting up a new server and doing a security scan under 8.3, while there are several warnings only one vulnerability reported as follows:

Vulnerability pcsync-https (8443/tcp)
Synopsis :

The remote web server uses a version of PHP that is affected by
multiple flaws.

Description :

According to its banner, the version of PHP installed on the remote
host is older than 5.2.5. Such versions may be affected by various
issues, including but not limited to several buffer overflows.

See also :

http://www.php.net/releases/5_2_5.php

Solution :

Upgrade to PHP version 5.2.5 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:p/I:p/A:p)
CVE : CVE-2007-4887
BID : 26403
Nessus ID : 28181

Since there are also websites with php 5.2.5 installed and happily living on the server one must assume that the control panel is actually running an older version of php. Is is possible to upgrade or is a patch on the way?

Thanks.
 
Hello rank1st,

Thank you for the report.
It will be fixed in the next version. Please don't try to update admin's PHP manually.
There are no actual known vulnerabilities in Plesk Control Panel 8.3 with PHP 5.2.4.
 
No problem on the next version, but sooner rather than later would be great. It's not so much an issue of if the control panel is working it's the liability that arises from it. You see if I perform my server providers vulnerability check and it comes back as a potential problem and my server gets compromised this is right where they are going to point. We also like to publish to our clients that our hosting service is secure and safe, if they do the same scan using their own tools this may very well cost us some business.
 
You must log in or register to reply here.

Similar threads

J.Wick
Issue Multiple Vulnerabilities in PHP 5 thru 8.3.7 Could Allow for Remote Code Execution - PATCH NOW
Replies
2
Views
2K
Tobias Sorensson
T
A
Parallels Plesk Pannel 11.0.9 Horde webmail vulnerability?
Replies
4
Views
3K
_Alberto_
A
E
phpMyAdmin Upgrade: Security Flaw
Replies
1
Views
1K
EricVis
E
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
20K
RalphP
R
D
How do I turn off TRACK and TRACE HTTP please.
Replies
2
Views
5K
Dave-Brown
D
Back
Top