• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Php 5.2.8

J

jamescrown

Guest
Hello,

There has been a recent vulnerability in PHP 5.2.6. Since Plesk 8.6 is set to use 5.2.6, all Plesk 8.6 installs fail PCI compliance.

Can you please upgrade Plesk 8.6 to use PHP 5.2.8 for %plesk_bin% and %plesk_dir%\additional\pleskphp5 ?

Due to the major changes with interface and backups (I have still yet to convert 8.6 PSA backup to 9.0 XML backup successfully) not all customers will want to upgrade to Plesk 9.0 to fix this vulnerability.

Thanks for your consideration.
 
jamescrown said:
Hello,

There has been a recent vulnerability in PHP 5.2.6. Since Plesk 8.6 is set to use 5.2.6, all Plesk 8.6 installs fail PCI compliance.

Can you please upgrade Plesk 8.6 to use PHP 5.2.8 for %plesk_bin% and %plesk_dir%\additional\pleskphp5 ?

Due to the major changes with interface and backups (I have still yet to convert 8.6 PSA backup to 9.0 XML backup successfully) not all customers will want to upgrade to Plesk 9.0 to fix this vulnerability.

Thanks for your consideration.
Click to expand...

Hello James,

Thank you for the report.

For own virtual host (port 8443) Parallels Plesk Panel uses custom built PHP engine that is patched properly but shows old version.
You may hide appropriate header through %plesk_dir%\admin\php.ini. You should switch off parameter expose_php = Off.

Learn more how to update users PHP you may here

http://download1.swsoft.com/Plesk/P...6-win-advanced-administration-guide/51692.htm
http://download1.swsoft.com/Plesk/P...6-win-advanced-administration-guide/51562.htm
http://download1.swsoft.com/Plesk/P...6-win-advanced-administration-guide/51563.htm
 
Hello,

I am aware of how to upgrade PHP in %plesk_dir%\additional, however my concern is with %plesk_bin% specifically. Can you please provide your patch documentation and what vulnerabilities it covers? Thank you.
 
sergius cannot list the patches they make because their version is not patched.
 
jamescrown said:
sergius cannot list the patches they make because their version is not patched.
Click to expand...

James,

It would be not securely to discuss possible product vulnerabilities at the public forum.

If you know about any actual Parallels Plesk Panel itself vulnerability then please inform me through private message and we will fix the issue as soon as possible.
 
I've simply informed you of bugs in the 3rd party components that plesk installs.

php.net advised the use of 5.2.8 as of Dec 8th 2008 due to bugs in earlier versions including 5.2.6.

Your plesk 8.6 build is from July 22 2008 and contains php 5.2.6.
Your plesk 9 build is from Dec 8th 2008 and contains a php 5.2.6.
 
Plesk Software Causes ALL Sites Processing Credit Cards Failure

We use Plesk 8.6. This version installs PHP 5.2.6. Security scans by third party companies report this as a violation of the PCI agreement that governs transaction processing with credit card networks. They state the only way to comply is to use PHP 5.2.8 or above.

There is no update by Parallels available to make Plesk 8.6 compliant with PCI testing, and anyone using Plesk in this configuration is in jeopardy, unless there is an upgrade method to replace PHP to the proper version.

I think this is a serious issue, if Plesk expects customers who sell things using a credit card to use their software.
 
Parallels expects you to do the following to fix the PCI compliance issue:

1.) update the version in %plesk_dir%\additional\pleskphp5 to 5.2.8 yourself. You can just extract the php zip to this directory then update the components section of plesk.

2.) Hide the PHP version that plesk build uses by setting "expose_php = off" in %plesk_dir%\admin\php.ini

They do not see any reason to update the PHP build used at this time even though PHP.net's changelog shows numerous bugs and security fixes between 5.2.6 and 5.2.8 http://www.php.net/ChangeLog-5.php
 
Thanks, James. I've followed your direction. It's alarming Plesk/Parallels sees no since of urgency protecting their client base. It took me a couple weeks to get here. Now I am more afraid of what else I don't know. I guess I expected more from such a product.
 
Its not unreasonable to expect them to keep their third party components up to date. Its just not Parallel's M.O. (look at the versions of your other components).
 
Last edited by a moderator:
You must log in or register to reply here.

Similar threads

J
Question clobbered PHP-CLI after apt upgrade
Replies
0
Views
80
James Heinrich
J
M
Question How to install additional PHP modules / Extensions
Replies
2
Views
345
MHC_1
M
J
Resolved Softaculous 6 PHP extension errors with WHMCS
Replies
2
Views
771
jsmoot
J
Zalem Citizen
Question PHP net_get_interfaces and IPs privacy
Replies
0
Views
679
Zalem Citizen
Zalem Citizen
P
Resolved Issue with Subscription Backups in Plesk CLI Using FTP Storage
Replies
5
Views
1K
paolotrombini25
P
Back
Top