• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Upgrading "internal" PHP

H

Hak Foo

Guest
So I have a client (they're too big to ignore) who's screaming:

"Our merchant account requires our site to be audited and pass all the audit details".

Now, some of this stuff is reasonable to fix, like "lock MySQL so it can't be accessed from outside", and "lock BIND from doing recursive DNS queries".

The problem is that about two thirds of the "fail grade" complaints are

"Server on port 8880 uses a version of PHP < 5.2.4"

and

"Server on port 8443 uses a version of PHP < 5.2.4"

I can upgrade the main stuff to 5.2.4 (which forced a MySQL update, then having to change Plesk from 8.0.0 to 8.1.1) but I can't see a way to fix Plesk's PHP. I tried linking the "real" PHP (5.2.4) to sit where the Plesk PHP (5.0.5) was, and it didn't help.

And honestly, I'm unsure if replacing the 5.0.5 Plesk expects with 5.2.4 would be a good thing.

Is there any alternative? I could maybe even see configuring the mini-Apache used for the control panel to not show a version string.

Please don't tell me to upgrade to Plesk 8.2. I went to 8.1 because I figured it would minimize disruption, being the smallest step that would support MySQL 5 (nobody mentioned Plesk 8.0 hated MySQL 5 until AFTER I upgraded that), and it still took almost all day to restore order (qmail-local was broken by the upgrade, and some of the mail account rebuilding went poorly).
 
Did you try replacing the commandline PHP or the mod_php their apache loads?
 
so, the main problem is make php on server 5.2.4...

generally, you can install it, and Plesk should work on it, even that php4 is required for 8.1
(according to release notes)

or you can setup another server with php5.2 and migrate there the current one, it will be savvier.
 
I upgraded the main site (port 80) to PHP 5.2.4 (breaking many apps in the process)

However, the PHP inside Plesk (ports 8443/8880) is 5.0.x. I think the best I can do is disable the "Powered by PHP/5.0.x" banner.
 
Or you can just challenge the findings by the PCI Auditor. This is a false positive, based on the tools they are using, most likely Nessus. Nessus even documents these false positives in its report.

You will likely get similar false positives from ssh, openssl, apache, etc. This is a very common problem, and you do not take the results from a vulnerability scanner doing "Safe" network tests at face value.
 
Back
Top