• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

HTTP and Security (Horde and SQL) and PCI Compliance -no one is compliant as a result

T

tvcnet

Guest
Hi folks,
I've been hit by some PCI compliance issues and wondering if anyone has ideas on this.

The PCI issue is: Unencrypted Login Information Disclosure
This effectively means that no person on the Planet is PCI compliant unless there is a work around to force HTTPS: on logins.

Example:

Both of these are security issues apparently:
http://www.mydomain.com:8401/mssql/app/connect.aspx
http://www.mydomain.com:8425/imp/login.php

I can't seem to figure how we can force the system in Windows Plesk to only allow HTTPS, like:
https://www.mydomain.com:8401/mssql/app/connect.aspx
https://www.mydomain.com:8425/imp/login.php

And yes, I set up subdomain to allow client's to connect direct using the server name. That is not the issue. The issue is that Plesk allows one to use control panels without https://, so wondering if there is a way to force the system to never allow http://

Thanks,
Jim
 
Wow, this applies to the entire World and no one at Parallels is interested?

I'm a bit surprised. Wasn't aware server security was considered such a low priority at Parallels. :(

Thanks,
-Jim
 
In IIS you can manually configure those sites to require SSL.

Plesk is not PCI compliant out of the box and does not have the ability to make a server PCI compliant through the control panel alone. Your system administrator will need to manually modify several configuration files and apply new policies to pass PCI compliance.
 
Windows Plesk Remains not PCI Compliant due to PHP4?

Hi folks,
Ok, I waited a full year, almost to the day...
And in logging back in I see Windows Plesk 9.2 is still not PCI compliant due to Php < 4.4.9 Multiple Vulnerabilities.

Turning php expose to off has no affect (for those who keep promoting this misinformation).

Is this really true?

Thanks,
Jim
 
Last edited by a moderator:
Anyone have comment about Plesk PCI compliance in this regard?

Thanks,
Jim
 
Back
Top