Plesk - php install is vulnerable? Options

[JVRudnick]

Hey all...

just got a new ded server here at TP and I ran a Vulnerabilty Report right off the bat - and found that I have more'n 8 issues all with the version of php that was installed. They all begin with --
Vulnerability pcsync-https (8443/tcp)
Synopsis :
The remote web server uses a version of PHP that is affected by multiple flaws.
Description :
According to its banner, the version of PHP installed on the remote host is older than 5.2.6.

What I then asked support was why did they install, via my purchased Plesk 8.2 CP, vulnerabilities...and I got the usual run-around that they install only the most stable version...which is something like php 4.x

Can someone who knows please offer - is php 5.2.6 STABLE and should it have been a part of the Plesk install ? ie is TP support not telling me the truth?

Anyone know (MS guy here who's exp is in ASP/.NET only?) ie no php knowledge at all....

???

Jim

PS of course, they did offer that if I wanted the vulnerability removed, that they could do but as an hourly rated task...ie for more $$$ :-)

[markcausa]

5.2.6 is currently stable.

Check out the top-right corner of php.net.

[eth00]

I don't know what php version you have but keep in mind exactly what that report says - it looks at the version number. Those scanners are only looking for the version and not looking at anything else. They do not take into account the fact that RH will upgrade packages but NOT update version numbers. What they do is update it and change the version number to something different then the source code versions. They generally patch at least for the vulnerabilities and generally for features - but not nearly as much.

Google the rpm php version and you should get a RH page which will show if it is the latest offered for a RH package.

[JVRudnick]

yes, thanks - I now know that 5.2.6 IS the current stable version...my question tho is on TP and why they'd NOT install same or tell Plesk to use same...

this is shoddy!

is there any recourse with TP?

???

Jim

[Squire]

Frankly, you're expecting waaaaaay to much Jim.

When you get an unmanaged box, anywhere not just at The Planet, it's up to you the Server Admin to get it secure and keep it secure. In fact I've never seen a dedicated unmanaged box from any supplier that even has a firewall installed, properly configured and turned on by default. Having a good firewall is far more important than the php version you're running.

FWIW, PHP 4.x can be made secure too, if the server admin knows what they're doing. And so that you know, if you're going to be selling hosting other people make darned sure you tell 'em in pre-sales that it's version 5 on your server. Because some older, trusted php apps were never made with all of the changes between PHP 4 and PHP 5 in mind. So some PHP 4 code will not work on a PHP 5 server. And vice versa.

If you want someone to give you a secure box, and more importantly keep it secure for you, you're looking for Managed server packages. Not unmanaged. Of course a managed server is going to cost more because someone has to do all of the upgrading, securing and monitoring work.