1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

PCI Security Vulnerabilities in PHP

Discussion in 'Plesk 9.x for Linux Suggestions and Feedback' started by camfam, Jan 13, 2009.

  1. camfam

    camfam Guest

    0
     
    PCI has failed the server due to PHP 5.2.6 on the server. After updating to Plesk 9.0.2, the PHP version is STILL 5.2.6. PHP must be 5.2.8 to be compliant.

    When can we expect to see 5.2.8 supported by Plesk for Linux/Unix?
     
  2. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    To be honest, next year probably. it took them a year to go from 5.1.x to 5.2.x
     
  3. jamescrown

    jamescrown Guest

    0
     
    I've contacted parallels about this and they claim their build of 5.2.6 is secure, however they cannot provide any documentation and the build dates leave me questionable. Regardless, php.net says use 5.2.8 and I'd trust them to know their own product.

    To pass PCI compliance you can hide the version of PHP by setting expose_php = Off in your php.ini
     
  4. nforde

    nforde Basic Pleskian

    23
    90%
    Joined:
    Dec 11, 2004
    Messages:
    60
    Likes Received:
    0
    Our server has plesk 9 and PHP 5.2.8 and all seems fine.

    Our PHP automatically updated to 5.2.8 using the 'yum' command.

    You just need to use Yum and the 'atomic' yum repository. For details see http://www.atomicorp.com/channels/atomic/

    The changelog (for several repositories, not just the 'atomic' repository) shows that PHP5.2.8 was added to the atomic repository on 5th January - http://3es.atomicrocketturtle.com/Changelog

    I have no idea why Plesk are so useless at keeping our servers up to date, especially when it's so simple.
     
  5. gwider

    gwider Guest

    0
     
    Hi Nforde,

    I presume you're referring to your main PHP Installation.
    Plesk brings its own webserver for port 8443, with it's own php version. It would surprise me if that could simply be updated.
    I don't know how we can increase the pressure on Plesk to provide uptodate components which don't give PCI headaches.

    Have a good day!
    G
     
  6. Brujo

    Brujo Regular Pleskian

    28
    57%
    Joined:
    Mar 4, 2006
    Messages:
    278
    Likes Received:
    2
    Location:
    Germany
    same with the stone old integrated phpmyadmin Version which comes with Plesk

    Brujo
     
  7. nforde

    nforde Basic Pleskian

    23
    90%
    Joined:
    Dec 11, 2004
    Messages:
    60
    Likes Received:
    0
    Yeah, sorry. I didn't realise you were talking about the PHP used for the control panel interface. We haven't upgraded that since we don't need to be PCI compliant and if anything went wrong Plesk wouldn't want to know about it.

    One possible option may be to have a second server which is PCI compatible (without the Plesk control panel interface installed), but still managed by Plesk which is only installed on your current server. Not sure if that's possible as I just have the one server.
     
  8. risede

    risede Basic Pleskian

    23
    23%
    Joined:
    Nov 11, 2008
    Messages:
    33
    Likes Received:
    0
    Hi Gang,

    You can "bypass" the PCI Compliance issue by modifying the php.ini file.

    The default installation for Plesk php exposes the php header information by adding it's signature to the web server header. That is how the PCI Compliance companies "see" what version you are using. You can turn this off with (so far) no ill effects by going to php.ini in %plesk_dir%/admin and changing:

    expose_php = On

    to

    expose_php = Off
     
  9. risede

    risede Basic Pleskian

    23
    23%
    Joined:
    Nov 11, 2008
    Messages:
    33
    Likes Received:
    0
    Incidentally, I upgraded to 9.0 mistakenly because I assumed it would be using the latest PHP release, and I was getting hammered with non-PCI Compliant charges by my merchant account processor. Boy, what a costly mistake that was! I no longer have backups of my individual domains for my customers to download from an off-site FTP server like I had for them. I'm getting beat up all over the place for this pricey mistake.

    Anyway, I came across the php.ini fix after the horrible upgrade to 9.0. Hope it helps someone.
     
Loading...