• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

PCI Security Vulnerabilities in PHP

C

camfam

Guest
PCI has failed the server due to PHP 5.2.6 on the server. After updating to Plesk 9.0.2, the PHP version is STILL 5.2.6. PHP must be 5.2.8 to be compliant.

When can we expect to see 5.2.8 supported by Plesk for Linux/Unix?
 
I've contacted parallels about this and they claim their build of 5.2.6 is secure, however they cannot provide any documentation and the build dates leave me questionable. Regardless, php.net says use 5.2.8 and I'd trust them to know their own product.

To pass PCI compliance you can hide the version of PHP by setting expose_php = Off in your php.ini
 
Our server has plesk 9 and PHP 5.2.8 and all seems fine.

Our PHP automatically updated to 5.2.8 using the 'yum' command.

You just need to use Yum and the 'atomic' yum repository. For details see http://www.atomicorp.com/channels/atomic/

The changelog (for several repositories, not just the 'atomic' repository) shows that PHP5.2.8 was added to the atomic repository on 5th January - http://3es.atomicrocketturtle.com/Changelog

I have no idea why Plesk are so useless at keeping our servers up to date, especially when it's so simple.
 
Hi Nforde,

I presume you're referring to your main PHP Installation.
Plesk brings its own webserver for port 8443, with it's own php version. It would surprise me if that could simply be updated.
I don't know how we can increase the pressure on Plesk to provide uptodate components which don't give PCI headaches.

Have a good day!
G
 
same with the stone old integrated phpmyadmin Version which comes with Plesk

Brujo
 
Hi Nforde,

I presume you're referring to your main PHP Installation.

G

Yeah, sorry. I didn't realise you were talking about the PHP used for the control panel interface. We haven't upgraded that since we don't need to be PCI compliant and if anything went wrong Plesk wouldn't want to know about it.

One possible option may be to have a second server which is PCI compatible (without the Plesk control panel interface installed), but still managed by Plesk which is only installed on your current server. Not sure if that's possible as I just have the one server.
 
Hi Gang,

You can "bypass" the PCI Compliance issue by modifying the php.ini file.

The default installation for Plesk php exposes the php header information by adding it's signature to the web server header. That is how the PCI Compliance companies "see" what version you are using. You can turn this off with (so far) no ill effects by going to php.ini in %plesk_dir%/admin and changing:

expose_php = On

to

expose_php = Off
 
Incidentally, I upgraded to 9.0 mistakenly because I assumed it would be using the latest PHP release, and I was getting hammered with non-PCI Compliant charges by my merchant account processor. Boy, what a costly mistake that was! I no longer have backups of my individual domains for my customers to download from an off-site FTP server like I had for them. I'm getting beat up all over the place for this pricey mistake.

Anyway, I came across the php.ini fix after the horrible upgrade to 9.0. Hope it helps someone.
 
Back
Top