• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

PHP version problem for PCI compliance

R

rong

Guest
The new Plesk 8.4 has php 5.1.6-3.7.fc6 and the PCI Compliance testing company failed me on the compliance test because they say that PHP needs to be updated to V5.2.6 or later. See below:

Security Vulnerabilities
Protocol Port Program Risk
TCP 8443 https-alt 8

Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An as-yet unspecified security issue tracked by CVE-2008-0599. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. See also : http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0103.html http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0107.html http://www.php.net/releases/5_2_6.php

Solution: Upgrade to PHP version 5.2.6 or later. Risk Factor: High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:p/I:p/A:p) CVE : CVE-2008-0599 BID : 29009 Other references : Secunia:30048

I have downloaded php-5.2.6.tar.gz So I guess I need help on whether installing this will cause a problem with the newly installed Plesk 8.4 (UNIX) and where & how to install it.

Thank you in advance.
 
Several comments:

- Plesk doesn't ship PHP, it just installs the version that your OS vendor provides.
- Make sure you and your compliance testing company understand the concept of backporting security fixes: http://www.redhat.com/advice/speaks_backport.html This means the FC6 package of PHP 5.1.6 doesn't necessarily have all the security issues fixed in PHP releases 5.1.7 and later, it just means that it has all the features that were available in PHP 5.1.6.
- Fedora Core 6 has reached End of Life, so you probably have a lot more software with known vulnerabilities installed. There won't be any official OS updates for Fedora Core 6 anymore.
- The Atomic Rocket Turtle might be able to help you out if you're not migrating off Fedora Core 6 yet and need a newer version of PHP. PHP 5.2.6 is still in testing though. Installing PHP from source is not going to play nice with Plesk.
 
- Plesk doesn't ship PHP, it just installs the version that your OS vendor provides.
Im not sure that statement is entirely true - and the reason I say that is when I had several RHEL4 servers, RHEL ships (or at least did at the time, I dont use rhel anymore so I dont know) with php4 installed. However PSA installs their own version of apache and php5 on the server.

Im fairly sure that PSA installs their own modified version of php and a second instance of apache just to run plesk and httpsd.
 
The new Plesk 8.4 has php 5.1.6-3.7.fc6 and the PCI Compliance testing company failed me on the compliance test because they say that PHP needs to be updated to V5.2.6 or later. See below:

Security Vulnerabilities
Protocol Port Program Risk
TCP 8443 https-alt 8

Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An as-yet unspecified security issue tracked by CVE-2008-0599. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. See also : http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0103.html http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0107.html http://www.php.net/releases/5_2_6.php

Solution: Upgrade to PHP version 5.2.6 or later. Risk Factor: High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:p/I:p/A:p) CVE : CVE-2008-0599 BID : 29009 Other references : Secunia:30048

I have downloaded php-5.2.6.tar.gz So I guess I need help on whether installing this will cause a problem with the newly installed Plesk 8.4 (UNIX) and where & how to install it.

Thank you in advance.

We are going to upgrade admin's PHP engine up to 5.2.6 in the next Plesk version.
 
The new Plesk 8.4 has php 5.1.6-3.7.fc6 and the PCI Compliance testing company failed me on the compliance test because they say that PHP needs to be updated to V5.2.6 or later. See below:

Security Vulnerabilities
Protocol Port Program Risk
TCP 8443 https-alt 8

The daemon on port 8443 is psa (Plesk web interface) and that is not using the php package you have installed. Upgrading it won't change anything about psa's internal PHP engine.
 
Plesk 8.4, PHP and Joomla 1.5

Hello, I have a problem with the 5.0.4 version of PHP using with Plesk on my OVH serveur. With with release, Jommla 1.5 doesn'y work (Joomla 1.5 doesn't work with PHP 4.3.9, PHP 4.4.2 or PHP 5.0.4). I've to upgrade the PHP version to 5.2.6 (or another version working with Plesk and Joomla 1.5).

But, I'm newbie and I'm french :-D

Can you tell me how to proceed, please ? (and excuse my poor english)

Or, do you know when the next release of Plesk (with the upgrade of PHP as Sergius said) will be effective ?

Thanks a lot.
 
Hello, I have a problem with the 5.0.4 version of PHP using with Plesk on my OVH serveur. With with release, Jommla 1.5 doesn'y work (Joomla 1.5 doesn't work with PHP 4.3.9, PHP 4.4.2 or PHP 5.0.4). I've to upgrade the PHP version to 5.2.6 (or another version working with Plesk and Joomla 1.5).

Have you tried installing Joomla 1.5? Maybe the docs are talking about vanilla PHP 5.0.4 instead of the vendor-patched version that you probably have installed. What OS are you running? You might be able to use the Atomic Rocket Turtle repository if your OS is supported.

Or, do you know when the next release of Plesk (with the upgrade of PHP as Sergius said) will be effective ?

That won't help as that is only the PHP engine that is used by Plesk internally, not for the hosted sites.
 
Any ideas when the next version (presumably 8.5) is going to be released. I'm getting some serious heat about PCI failures which relate the the fact that ports 8880 and 8443 are both running PHP < 5.2.6
 
Back
Top