• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

PHP version problem for PCI compliance

R

rong

Guest
The new Plesk 8.4 has php 5.1.6-3.7.fc6 and the PCI Compliance testing company failed me on the compliance test because they say that PHP needs to be updated to V5.2.6 or later. See below:

Security Vulnerabilities
Protocol Port Program Risk
TCP 8443 https-alt 8

Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An as-yet unspecified security issue tracked by CVE-2008-0599. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. See also : http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0103.html http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0107.html http://www.php.net/releases/5_2_6.php

Solution: Upgrade to PHP version 5.2.6 or later. Risk Factor: High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:p/I:p/A:p) CVE : CVE-2008-0599 BID : 29009 Other references : Secunia:30048

I have downloaded php-5.2.6.tar.gz So I guess I need help on whether installing this will cause a problem with the newly installed Plesk 8.4 (UNIX) and where & how to install it.

Thank you in advance.
 
Several comments:

- Plesk doesn't ship PHP, it just installs the version that your OS vendor provides.
- Make sure you and your compliance testing company understand the concept of backporting security fixes: http://www.redhat.com/advice/speaks_backport.html This means the FC6 package of PHP 5.1.6 doesn't necessarily have all the security issues fixed in PHP releases 5.1.7 and later, it just means that it has all the features that were available in PHP 5.1.6.
- Fedora Core 6 has reached End of Life, so you probably have a lot more software with known vulnerabilities installed. There won't be any official OS updates for Fedora Core 6 anymore.
- The Atomic Rocket Turtle might be able to help you out if you're not migrating off Fedora Core 6 yet and need a newer version of PHP. PHP 5.2.6 is still in testing though. Installing PHP from source is not going to play nice with Plesk.
 
breun said:
- Plesk doesn't ship PHP, it just installs the version that your OS vendor provides.
Click to expand...
Im not sure that statement is entirely true - and the reason I say that is when I had several RHEL4 servers, RHEL ships (or at least did at the time, I dont use rhel anymore so I dont know) with php4 installed. However PSA installs their own version of apache and php5 on the server.

Im fairly sure that PSA installs their own modified version of php and a second instance of apache just to run plesk and httpsd.
 
rong said:
The new Plesk 8.4 has php 5.1.6-3.7.fc6 and the PCI Compliance testing company failed me on the compliance test because they say that PHP needs to be updated to V5.2.6 or later. See below:

Security Vulnerabilities
Protocol Port Program Risk
TCP 8443 https-alt 8

Synopsis : The remote web server uses a version of PHP that is affected by multiple flaws. Description : According to its banner, the version of PHP installed on the remote host is older than 5.2.6. Such versions may be affected by the following issues : - A stack buffer overflow in FastCGI SAPI. - An integer overflow in printf(). - An as-yet unspecified security issue tracked by CVE-2008-0599. - A safe_mode bypass in cURL. - Incomplete handling of multibyte chars inside escapeshellcmd(). - Issues in the bundled PCRE fixed by version 7.6. See also : http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0103.html http://archives.neohapsis.com/archives/f ulldisclosure/2008-05/0107.html http://www.php.net/releases/5_2_6.php

Solution: Upgrade to PHP version 5.2.6 or later. Risk Factor: High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C:p/I:p/A:p) CVE : CVE-2008-0599 BID : 29009 Other references : Secunia:30048

I have downloaded php-5.2.6.tar.gz So I guess I need help on whether installing this will cause a problem with the newly installed Plesk 8.4 (UNIX) and where & how to install it.

Thank you in advance.
Click to expand...

We are going to upgrade admin's PHP engine up to 5.2.6 in the next Plesk version.
 
rong said:
The new Plesk 8.4 has php 5.1.6-3.7.fc6 and the PCI Compliance testing company failed me on the compliance test because they say that PHP needs to be updated to V5.2.6 or later. See below:

Security Vulnerabilities
Protocol Port Program Risk
TCP 8443 https-alt 8
Click to expand...

The daemon on port 8443 is psa (Plesk web interface) and that is not using the php package you have installed. Upgrading it won't change anything about psa's internal PHP engine.
 
Plesk 8.4, PHP and Joomla 1.5

Hello, I have a problem with the 5.0.4 version of PHP using with Plesk on my OVH serveur. With with release, Jommla 1.5 doesn'y work (Joomla 1.5 doesn't work with PHP 4.3.9, PHP 4.4.2 or PHP 5.0.4). I've to upgrade the PHP version to 5.2.6 (or another version working with Plesk and Joomla 1.5).

But, I'm newbie and I'm french :-D

Can you tell me how to proceed, please ? (and excuse my poor english)

Or, do you know when the next release of Plesk (with the upgrade of PHP as Sergius said) will be effective ?

Thanks a lot.
 
mformidable said:
Hello, I have a problem with the 5.0.4 version of PHP using with Plesk on my OVH serveur. With with release, Jommla 1.5 doesn'y work (Joomla 1.5 doesn't work with PHP 4.3.9, PHP 4.4.2 or PHP 5.0.4). I've to upgrade the PHP version to 5.2.6 (or another version working with Plesk and Joomla 1.5).
Click to expand...

Have you tried installing Joomla 1.5? Maybe the docs are talking about vanilla PHP 5.0.4 instead of the vendor-patched version that you probably have installed. What OS are you running? You might be able to use the Atomic Rocket Turtle repository if your OS is supported.

Or, do you know when the next release of Plesk (with the upgrade of PHP as Sergius said) will be effective ?
Click to expand...

That won't help as that is only the PHP engine that is used by Plesk internally, not for the hosted sites.
 
Any ideas when the next version (presumably 8.5) is going to be released. I'm getting some serious heat about PCI failures which relate the the fact that ports 8880 and 8443 are both running PHP < 5.2.6
 
You must log in or register to reply here.

Similar threads

A
Parallels Plesk Pannel 11.0.9 Horde webmail vulnerability?
Replies
4
Views
3K
_Alberto_
A
E
phpMyAdmin Upgrade: Security Flaw
Replies
1
Views
1K
EricVis
E
D
SSL/TLS Protocol Vulnerability PCI Scan
Replies
8
Views
20K
RalphP
R
O
PCI compliance problem
Replies
0
Views
3K
Otakucouk
O
C
Anyway to upgrade Plesk's internal Apache version?
Replies
6
Views
2K
IgorG
IgorG
Back
Top