Hi Gang,
I have a problem. I am running a dedicated server (Windows) with Plesk 8.3. I have a client with an e-commerce site that does their own credit card processing (using a gateway and merchant account). The card processor has forced them to dign-up for security Scans through SecurityMetrics.com. The first scan was performed, and they received a failing grade because of several issues. The one I am writing about here involves the PHP versions.
I run both PHP4 & PHP5 on my server. The versions are 4.4.7 and 5.2.5. The security problem is this:
***
Synopsis : The remote web server uses a version of PHP that is affected by multiple issues. Description : According to its banner, the version of PHP installed on the remote host is older than 4.4.9. Such versions address several security issues, including : - An update of PCRE to version 7.7. - An overflow in PHP's internal 'memnstr()', which is exposed to userspace as 'explode()'. - A crash in 'imageloadfont' when an invalid font is given. - An 'open_basedir' handling issue in the curl extension. - 'mbstring.func_overload' set in '.htaccess' becomes global. Note that the release announcement states this will be the last release for the PHP 4.4 series. See also : http://www.openwall.com/lists/oss-securi ty/2008/08/08/2 http://www.php.net/releases/4_4_9.php http://www.php.net/ChangeLog-4.php#4.4.9 Solution: Upgrade to PHP version 4.4.9 or later. Risk Factor: High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C/I/A) CVE : CVE-2007-4850, CVE-2008-3658 BID : 27413, 30649, 31612 Other references : OSVDB:43219, Secunia:31409 [More]
***
There are other problems involving PHP 5.2.5.
So what I want to do is upgrade PHP to 4.4.9 and 5.2.6, but I cannot find any instructions on how to do this, and I don't want to break Plesk in the upgrade. I know enough to be dangerous. For instance, I installed Gene6FTP on my server to get SFTP capabilities. I also bought and installed MailEnable Pro for my server to get IMAP capabilities. So I'm not illiterate, but I also want to avoid potential problems with the PHP upgrade.
Can anyone help me get this upgrade completed? I tried discussing this with my hosting company, and they were absolutely no help what-so-ever. The basically said, "4.4.7 and 5.2.5 are what come with Plesk, so that's what you get".
Anyway, I'm stumped. My current thoughts are:
1) Try and get all of the security this resolved through the forums (like this posting)
2) Give up on credit card processing and run everything through Google or Paypal
3) Give up on hosting altogether!
Any help would be greatly appreciated.
I have a problem. I am running a dedicated server (Windows) with Plesk 8.3. I have a client with an e-commerce site that does their own credit card processing (using a gateway and merchant account). The card processor has forced them to dign-up for security Scans through SecurityMetrics.com. The first scan was performed, and they received a failing grade because of several issues. The one I am writing about here involves the PHP versions.
I run both PHP4 & PHP5 on my server. The versions are 4.4.7 and 5.2.5. The security problem is this:
***
Synopsis : The remote web server uses a version of PHP that is affected by multiple issues. Description : According to its banner, the version of PHP installed on the remote host is older than 4.4.9. Such versions address several security issues, including : - An update of PCRE to version 7.7. - An overflow in PHP's internal 'memnstr()', which is exposed to userspace as 'explode()'. - A crash in 'imageloadfont' when an invalid font is given. - An 'open_basedir' handling issue in the curl extension. - 'mbstring.func_overload' set in '.htaccess' becomes global. Note that the release announcement states this will be the last release for the PHP 4.4 series. See also : http://www.openwall.com/lists/oss-securi ty/2008/08/08/2 http://www.php.net/releases/4_4_9.php http://www.php.net/ChangeLog-4.php#4.4.9 Solution: Upgrade to PHP version 4.4.9 or later. Risk Factor: High / CVSS Base Score : 7.5 (CVSS2#AV:N/AC:L/Au:N/C/I/A) CVE : CVE-2007-4850, CVE-2008-3658 BID : 27413, 30649, 31612 Other references : OSVDB:43219, Secunia:31409 [More]
***
There are other problems involving PHP 5.2.5.
So what I want to do is upgrade PHP to 4.4.9 and 5.2.6, but I cannot find any instructions on how to do this, and I don't want to break Plesk in the upgrade. I know enough to be dangerous. For instance, I installed Gene6FTP on my server to get SFTP capabilities. I also bought and installed MailEnable Pro for my server to get IMAP capabilities. So I'm not illiterate, but I also want to avoid potential problems with the PHP upgrade.
Can anyone help me get this upgrade completed? I tried discussing this with my hosting company, and they were absolutely no help what-so-ever. The basically said, "4.4.7 and 5.2.5 are what come with Plesk, so that's what you get".
Anyway, I'm stumped. My current thoughts are:
1) Try and get all of the security this resolved through the forums (like this posting)
2) Give up on credit card processing and run everything through Google or Paypal
3) Give up on hosting altogether!
Any help would be greatly appreciated.