• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

lighttpd (aka sw-cp-server) security and PCI compliance issues

H

HostaHost

Regular Pleskian
Does anyone know what actual version of lighttpd the sw-cp-server is based on? The version output it spits out always says 1.0.0 while the Plesk rpm will be 1.0.6 or 1.0.7 (plesk 9 vs 10). However, I can't imagine those are the actual versions of lighttpd because there hasn't been a 1.0.x release of that in 7+ years from what I can tell.

The reason I ask is because the current Plesk lighttpd-based web server in both version 9 and 10 (haven't tried 11 yet) is vulnerable to SSL renegotiation attacks CVE CVE-2011-1473 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1473) and the SSL BEAST attack (https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls). Several PCI scanning companies are starting to fail sites over either, or both, of these alerts due to port 8443 having the vulnerabilities.

lighttpd versions 1.4.30 and newer from late 2011 resolve this issue:

http://redmine.lighttpd.net/versions/28

ssl: disable client initiated renegotiations
ssl: support mitigating BEAST attack


Has Parallels customized lighttpd in any way beyond the config files or could we potentially drop a copy of 1.4.31 on top of the sw-cp-server binary to close the vulnerability?
 
Parallels; any update on this? Plesk 9 and 10 FAIL PCI because of this issue. The issue has already been fixed in later versions of lighttpd. Can we overwrite, or do we have to wait for you to fix it? And if we have to wait, will you ever fix it?
 
Hello, Hostasaurus.Com

think I can provide you binary files of sw-cp-serverd.
could you please provide OS version and arch (x32/x64) of plesk 10.4.4 instance which have to be PCI compliance?
 
I too need thid fix for PCI complience

This is my current server info


OS Linux 2.6.18-194.17.1.el5
Panel version 10.4.4 Update #41, last updated at Aug 6, 2012 04:04 AM

as you can see I can't upgrade cleanly to 11 because lack of support for this version of linux. or at least that is what the upgrade process is telling me. Please help us here!

this is the PCI report from trustwave.com
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
SSLv2 Supported
This SSL service supports SSLv2 connections. SSLv2 has known
cryptographic weaknesses that can lead to the compromise of data
encrypted during the SSL session. Secure web applications should
only enable SSLv3, TLSv1, or newer. SSLv3 was released in 1996
with numerous security enhancements over SSLv2. TLSv1 was
introduced in 1999 as an enhancement to the security features of
SSLv3. All modern browsers have support for both SSLv3 and TLSv1,
and often disable support for SSLv2 in the interests of security. The
PCI ASV Operational Requirements requires that if SSLv2 is used in
the transmission of cardholder data, this must result in a failure. This
was clarified in the PCI "Assessor Update: November 2008" (see the
reference link in this finding).
CVSSv2: AV:N/AC:L/Au:N/C:p/I:N/A:N(5.00)
Reference: http://support.microsoft.com/kb/187498,
http://httpd.apache.org/docs/2.2/ssl/, http://www.schneier.com/paperssl.
pdf
Service: https
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------
Jerry Daub
[email protected]

Nantucket.net
 
mouse Jerry said:
This is my current server info


OS Linux 2.6.18-194.17.1.el5
Panel version 10.4.4 Update #41, last updated at Aug 6, 2012 04:04 AM

as you can see I can't upgrade cleanly to 11 because lack of support for this version of linux. or at least that is what the upgrade process is telling me. Please help us here!

this is the PCI report from trustwave.com
SSLv2 Supported
Click to expand...

SSLv2 has nothing to do with this thread, this is about PCI failures for SSL renegotiation. See http://forum.parallels.com/showthread.php?t=261825 for the appropriate cipher.lst file for fixing the SSLv2 issue.
 
sw-cp-serverd have to be stopped by command:

/etc/init.d/sw-cp-server stop

Following files have to be backuped and than replaced:

/usr/sbin/sw-cp-serverd

for x32:
/usr/lib/sw-cp-server/modules/

for x64:
/usr/lib64/sw-cp-server/modules/


Start sw-cp-serverd by command:
/etc/init.d/sw-cp-server start


Now default cipher will be DHE-RSA-AES256-SHA
 
You must log in or register to reply here.

Similar threads

D
PCI compliance still fails due to SSL Renegotiation DoS vulnerability in Qmail/IMAP
Replies
2
Views
3K
DragonAss
D
Back
Top