1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

HTTP and Security (Horde and SQL) and PCI Compliance -no one is compliant as a result

Discussion in 'Plesk for Windows - 8.x and Older' started by tvcnet, Feb 10, 2009.

  1. tvcnet

    tvcnet Guest

    0
     
    Hi folks,
    I've been hit by some PCI compliance issues and wondering if anyone has ideas on this.

    The PCI issue is: Unencrypted Login Information Disclosure
    This effectively means that no person on the Planet is PCI compliant unless there is a work around to force HTTPS: on logins.

    Example:

    Both of these are security issues apparently:
    http://www.mydomain.com:8401/mssql/app/connect.aspx
    http://www.mydomain.com:8425/imp/login.php

    I can't seem to figure how we can force the system in Windows Plesk to only allow HTTPS, like:
    https://www.mydomain.com:8401/mssql/app/connect.aspx
    https://www.mydomain.com:8425/imp/login.php

    And yes, I set up subdomain to allow client's to connect direct using the server name. That is not the issue. The issue is that Plesk allows one to use control panels without https://, so wondering if there is a way to force the system to never allow http://

    Thanks,
    Jim
     
  2. tvcnet

    tvcnet Guest

    0
     
    Wow, this applies to the entire World and no one at Parallels is interested?

    I'm a bit surprised. Wasn't aware server security was considered such a low priority at Parallels. :(

    Thanks,
    -Jim
     
  3. jamescrown

    jamescrown Guest

    0
     
    In IIS you can manually configure those sites to require SSL.

    Plesk is not PCI compliant out of the box and does not have the ability to make a server PCI compliant through the control panel alone. Your system administrator will need to manually modify several configuration files and apply new policies to pass PCI compliance.
     
  4. James Walker

    James Walker Guest

    0
     
    Windows Plesk Remains not PCI Compliant due to PHP4?

    Hi folks,
    Ok, I waited a full year, almost to the day...
    And in logging back in I see Windows Plesk 9.2 is still not PCI compliant due to Php < 4.4.9 Multiple Vulnerabilities.

    Turning php expose to off has no affect (for those who keep promoting this misinformation).

    Is this really true?

    Thanks,
    Jim
     
    Last edited by a moderator: Feb 15, 2010
  5. James Walker

    James Walker Guest

    0
     
    Anyone have comment about Plesk PCI compliance in this regard?

    Thanks,
    Jim
     
  6. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,576
    Likes Received:
    1,244
    Location:
    Novosibirsk, Russia
    Look at this - http://download1.parallels.com/Plesk/Panel9.5/plesk-9.5.0-for-windows.htm#20

     
  7. James Walker

    James Walker Guest

    0
     
    Cool! I'll check this out.
    Many thanks,
    Jim
     
  8. James Walker

    James Walker Guest

    0
     
  9. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,576
    Likes Received:
    1,244
    Location:
    Novosibirsk, Russia
    As soon as 9.5 will be released in April.
     
Loading...