Upgrading PHP while using Plesk Options

[Old Client]

I just saw the "Nessus Scan Report" on my brand new "Plesk Box" having Plesk 8.4 with RHL 5.

This report says:

-----------------------------------------------------------------------------

The remote web server uses a version of PHP that is affected by
multiple flaws.

Description :

According to its banner, the version of PHP installed on the remote
host is older than 5.2.6. Such versions may be affected by the
following issues :

- A stack buffer overflow in FastCGI SAPI.

- An integer overflow in printf().

- An security issue arising from improper calculation
of the length of PATH_TRANSLATED in cgi_main.c.

- A safe_mode bypass in cURL.

- Incomplete handling of multibyte chars inside
escapeshellcmd().

- Issues in the bundled PCRE fixed by version 7.6.

See also :

http://archives.neohapsis.com/archives/bug...08-03/0321.html
http://archives.neohapsis.com/archives/ful...08-05/0103.html
http://archives.neohapsis.com/archives/ful...08-05/0107.html
http://www.php.net/releases/5_2_6.php

Solution :

Upgrade to PHP version 5.2.6 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Plugin output :

PHP version PHP/5.2.3 appears to be running on the remote host
based on the following Server response header :

Server: Apache

CVE : CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051
BID : 27413, 28392, 29009
Other references : OSVDB:43219, Secunia:30048
Nessus ID : 32123

-----------------------------------------------------------------------------

I opened a support ticket with ThePlanet concerning the same, and received the following reply:


-----------------------------------------------------------------------------

Dear customer,

You can preform this update on your Own with the following command:

yum update php

Please be aware that once the server is released to the customer administration and security is their responsibility. However we do offer an OS Hardening service that will address all of the major security vulnerabilities. However this is a one time service. If you are interested in this server please create a ticket to the Sales Team and they will be able to provide you with a quote.

I will now close this ticket.

Thank you,
Xaaaaaa X.
Data Center Technician
Houston Data Center 2

-----------------------------------------------------------------------------

Well two things I would like to inquire about:

1. Isn't this the responsibility of ThePlanet to give a server with "No Security Holes" and "No Potential Unsafe Warnings"
2. How can I upgrade the version of PHP I have (5.0.x) having Plesk 8.4 installed on it. (yum update php and yum update php* are not upgrading it).

Thanks,
Old Client

[dredding]

I just saw the "Nessus Scan Report" on my brand new "Plesk Box" having Plesk 8.4 with RHL 5.

This report says:

-----------------------------------------------------------------------------

The remote web server uses a version of PHP that is affected by
multiple flaws.

Description :

According to its banner, the version of PHP installed on the remote
host is older than 5.2.6. Such versions may be affected by the
following issues :

- A stack buffer overflow in FastCGI SAPI.

- An integer overflow in printf().

- An security issue arising from improper calculation
of the length of PATH_TRANSLATED in cgi_main.c.

- A safe_mode bypass in cURL.

- Incomplete handling of multibyte chars inside
escapeshellcmd().

- Issues in the bundled PCRE fixed by version 7.6.

See also :

http://archives.neohapsis.com/archives/bug...08-03/0321.html
http://archives.neohapsis.com/archives/ful...08-05/0103.html
http://archives.neohapsis.com/archives/ful...08-05/0107.html
http://www.php.net/releases/5_2_6.php

Solution :

Upgrade to PHP version 5.2.6 or later.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)

Plugin output :

PHP version PHP/5.2.3 appears to be running on the remote host
based on the following Server response header :

Server: Apache

CVE : CVE-2007-4850, CVE-2008-0599, CVE-2008-1384, CVE-2008-2050, CVE-2008-2051
BID : 27413, 28392, 29009
Other references : OSVDB:43219, Secunia:30048
Nessus ID : 32123

-----------------------------------------------------------------------------

I opened a support ticket with ThePlanet concerning the same, and received the following reply:
-----------------------------------------------------------------------------

Dear customer,

You can preform this update on your Own with the following command:

yum update php

Please be aware that once the server is released to the customer administration and security is their responsibility. However we do offer an OS Hardening service that will address all of the major security vulnerabilities. However this is a one time service. If you are interested in this server please create a ticket to the Sales Team and they will be able to provide you with a quote.

I will now close this ticket.

Thank you,
Xaaaaaa X.
Data Center Technician
Houston Data Center 2

-----------------------------------------------------------------------------

Well two things I would like to inquire about:

1. Isn't this the responsibility of ThePlanet to give a server with "No Security Holes" and "No Potential Unsafe Warnings"
2. How can I upgrade the version of PHP I have (5.0.x) having Plesk 8.4 installed on it. (yum update php and yum update php* are not upgrading it).

Thanks,
Old Client

Typically, our servers are delivered with the operating system and control panel as ordered. The base software provided with these installations is all that is typically provided. The day-to-day security and administration of the server is the customer's responsibility.

Upgrading PHP on a Plesk server version 8.0 or newer is a fairly routine task.

The only major caveats are:
A) Make sure any custom php.ini settings are preserved.
B) Make sure that all necessary modules are compiled
C) Make sure to install PHP via RPM or source RPM so that Plesk application vault packages will detect the PHP installation.


With certain releases of PHP 5.2.5, there are often a few problems with Horde, but I do not believe I have heard any reports of this happening with 5.2.6. If you would prefer to have us give you an admin time quote to complete this upgrade, please submit a ticket so we can get this to the Professional Services RFQ.

[Old Client]

Typically, our servers are delivered with the operating system and control panel as ordered. The base software provided with these installations is all that is typically provided. The day-to-day security and administration of the server is the customer's responsibility.

Upgrading PHP on a Plesk server version 8.0 or newer is a fairly routine task.

The only major caveats are:
A) Make sure any custom php.ini settings are preserved.
B) Make sure that all necessary modules are compiled
C) Make sure to install PHP via RPM or source RPM so that Plesk application vault packages will detect the PHP installation.
With certain releases of PHP 5.2.5, there are often a few problems with Horde, but I do not believe I have heard any reports of this happening with 5.2.6. If you would prefer to have us give you an admin time quote to complete this upgrade, please submit a ticket so we can get this to the Professional Services RFQ.

Thanks Dylan for your advise,

My first question remained unanswered:

Isn't this the responsibility of ThePlanet to give a server with "No Security Holes" and "No Potential Unsafe Warnings"?

Best,
OldClient

[dredding]

Thank you for your reply.

The systems are delivered with the base operating system plus any updates that are installed by either the control panel or the operating system included updater. The vendors of these software packages frequently backport security fixes, and much of the software selection is chosen by the vendor for compatibility purposes, and not specifically to conform to a particular standard (such as PCI). In many cases, particularly with RedHat, many of the security fixes that are corrected with new versions of software are backported into the OS stable version of the software. These fixes are typically outlined in the RedHat errata notices. For more information about how this works, and for an example of an errata notice for OpenSSL, please see the following links:


http://www.redhat.com/advice/speaks_backport.html



https://rhn.redhat.com/errata/RHSA-2006-0695.html


Depending on your compliancy/security scanning solution, many times backported software is acceptable once the appropriate errata notice is supplied to your vendor.