1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Upgrading "internal" PHP

Discussion in 'Plesk for Linux - 8.x and Older' started by Hak Foo, Oct 31, 2007.

  1. Hak Foo

    Hak Foo Guest

    So I have a client (they're too big to ignore) who's screaming:

    "Our merchant account requires our site to be audited and pass all the audit details".

    Now, some of this stuff is reasonable to fix, like "lock MySQL so it can't be accessed from outside", and "lock BIND from doing recursive DNS queries".

    The problem is that about two thirds of the "fail grade" complaints are

    "Server on port 8880 uses a version of PHP < 5.2.4"


    "Server on port 8443 uses a version of PHP < 5.2.4"

    I can upgrade the main stuff to 5.2.4 (which forced a MySQL update, then having to change Plesk from 8.0.0 to 8.1.1) but I can't see a way to fix Plesk's PHP. I tried linking the "real" PHP (5.2.4) to sit where the Plesk PHP (5.0.5) was, and it didn't help.

    And honestly, I'm unsure if replacing the 5.0.5 Plesk expects with 5.2.4 would be a good thing.

    Is there any alternative? I could maybe even see configuring the mini-Apache used for the control panel to not show a version string.

    Please don't tell me to upgrade to Plesk 8.2. I went to 8.1 because I figured it would minimize disruption, being the smallest step that would support MySQL 5 (nobody mentioned Plesk 8.0 hated MySQL 5 until AFTER I upgraded that), and it still took almost all day to restore order (qmail-local was broken by the upgrade, and some of the mail account rebuilding went poorly).
  2. kassah

    kassah Guest

    Did you try replacing the commandline PHP or the mod_php their apache loads?
  3. tiramisu

    tiramisu Guest

    so, the main problem is make php on server 5.2.4...

    generally, you can install it, and Plesk should work on it, even that php4 is required for 8.1
    (according to release notes)

    or you can setup another server with php5.2 and migrate there the current one, it will be savvier.
  4. Hak Foo

    Hak Foo Guest

    I upgraded the main site (port 80) to PHP 5.2.4 (breaking many apps in the process)

    However, the PHP inside Plesk (ports 8443/8880) is 5.0.x. I think the best I can do is disable the "Powered by PHP/5.0.x" banner.
  5. atomicturtle

    atomicturtle Golden Pleskian

    Nov 20, 2002
    Likes Received:
    Washington, DC
    Or you can just challenge the findings by the PCI Auditor. This is a false positive, based on the tools they are using, most likely Nessus. Nessus even documents these false positives in its report.

    You will likely get similar false positives from ssh, openssl, apache, etc. This is a very common problem, and you do not take the results from a vulnerability scanner doing "Safe" network tests at face value.