1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

PHP version problem for PCI compliance

Discussion in 'Plesk for Linux - 8.x and Older' started by rong, May 7, 2008.

  1. rong

    rong Guest

    0
     
    The new Plesk 8.4 has php 5.1.6-3.7.fc6 and the PCI Compliance testing company failed me on the compliance test because they say that PHP needs to be updated to V5.2.6 or later. See below:

    Security Vulnerabilities
    Protocol Port Program Risk
    TCP 8443 https-alt 8

    Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An as-yet unspecified security issue tracked by CVE-2008-0599. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. See also : http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0103.html http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0107.html http://www.php.net/releases/5_2_6.php

    Solution: Upgrade to PHP version 5.2.6 or later. Risk Factor: High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:p/I:p/A:p) CVE : CVE-2008-0599 BID : 29009 Other references : Secunia:30048

    I have downloaded php-5.2.6.tar.gz So I guess I need help on whether installing this will cause a problem with the newly installed Plesk 8.4 (UNIX) and where & how to install it.

    Thank you in advance.
     
  2. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    Several comments:

    - Plesk doesn't ship PHP, it just installs the version that your OS vendor provides.
    - Make sure you and your compliance testing company understand the concept of backporting security fixes: http://www.redhat.com/advice/speaks_backport.html This means the FC6 package of PHP 5.1.6 doesn't necessarily have all the security issues fixed in PHP releases 5.1.7 and later, it just means that it has all the features that were available in PHP 5.1.6.
    - Fedora Core 6 has reached End of Life, so you probably have a lot more software with known vulnerabilities installed. There won't be any official OS updates for Fedora Core 6 anymore.
    - The Atomic Rocket Turtle might be able to help you out if you're not migrating off Fedora Core 6 yet and need a newer version of PHP. PHP 5.2.6 is still in testing though. Installing PHP from source is not going to play nice with Plesk.
     
  3. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    Im not sure that statement is entirely true - and the reason I say that is when I had several RHEL4 servers, RHEL ships (or at least did at the time, I dont use rhel anymore so I dont know) with php4 installed. However PSA installs their own version of apache and php5 on the server.

    Im fairly sure that PSA installs their own modified version of php and a second instance of apache just to run plesk and httpsd.
     
  4. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    That php5 package is used by sitebuilder as a cgi I think
     
  5. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    Yep, that php5 package is only used by Sitebuilder.
     
  6. sergius

    sergius Golden Pleskian

    28
    57%
    Joined:
    Nov 6, 2005
    Messages:
    1,898
    Likes Received:
    0
    We are going to upgrade admin's PHP engine up to 5.2.6 in the next Plesk version.
     
  7. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    The daemon on port 8443 is psa (Plesk web interface) and that is not using the php package you have installed. Upgrading it won't change anything about psa's internal PHP engine.
     
  8. mformidable

    mformidable Guest

    0
     
    Plesk 8.4, PHP and Joomla 1.5

    Hello, I have a problem with the 5.0.4 version of PHP using with Plesk on my OVH serveur. With with release, Jommla 1.5 doesn'y work (Joomla 1.5 doesn't work with PHP 4.3.9, PHP 4.4.2 or PHP 5.0.4). I've to upgrade the PHP version to 5.2.6 (or another version working with Plesk and Joomla 1.5).

    But, I'm newbie and I'm french :-D

    Can you tell me how to proceed, please ? (and excuse my poor english)

    Or, do you know when the next release of Plesk (with the upgrade of PHP as Sergius said) will be effective ?

    Thanks a lot.
     
  9. breun

    breun Golden Pleskian

    29
     
    Joined:
    Jun 28, 2005
    Messages:
    1,647
    Likes Received:
    0
    Have you tried installing Joomla 1.5? Maybe the docs are talking about vanilla PHP 5.0.4 instead of the vendor-patched version that you probably have installed. What OS are you running? You might be able to use the Atomic Rocket Turtle repository if your OS is supported.

    That won't help as that is only the PHP engine that is used by Plesk internally, not for the hosted sites.
     
  10. drjermy

    drjermy Guest

    0
     
    Any ideas when the next version (presumably 8.5) is going to be released. I'm getting some serious heat about PCI failures which relate the the fact that ports 8880 and 8443 are both running PHP < 5.2.6
     
  11. Amin Taheri

    Amin Taheri Golden Pleskian Plesk Certified Professional

    33
     
    Joined:
    Jul 5, 2007
    Messages:
    1,398
    Likes Received:
    1
    Location:
    Seattle Area
    last I heard 9.0 is slated for Q1 of next year.
     
Loading...