Possible to update php version used by psa?

[jadjei]

Hi,
In a drive to reach PCI compliance, one of my clients is asking probing questions about the servers I have setup for them.

Everything seems to check out.. except Plesk. I've the latest Plesk 8.3 running which seems to use a version of php 5.2.3 for itself and makes use of eAccelerator.
/usr/local/psa/admin/bin/php

Can this be replaced with the latest php version?
If I install php-eaccelerator will I be able to just copy the binary over?

jon

[Highland]

Plesk has its own instance of Apache and PHP. Your copy of php is at /usr/bin/php and can be upgraded by using the Atomic repo. Unless there's some sort of add-on for Plesk that requires 5.2.5 I wouldn't touch that copy.

Try this instead of looking at stuff in /usr/local/psa/admin/bin

#php -v
#rpm -q php

[jadjei]

Cheers, but I've got the general version of PHP up to date.. it was specifically the PSA one I'm wondering if it's possible to update.
The automated PCI compliance server test scripts run against all open ports.. Plesk ones included and are moaning about it not using the latest PHP.

[hiddenidentity]

Unless Scott says otherwise I would take Highland's advice and leave the Plesk world alone. Not sure where that leaves you with your PCI compliance sadly...

Maybe you can lock down the Plesk ports to a specific incoming IP address?

[scott]

Those automated scans operate with very high rates of false positives. You really need to have an expert interpret the results for you.

[jadjei]

The test is simply failing us on the version of PHP it can detect on the 8443 port. It sees v5.2.3 and is asking us to put 5.2.5 on there.

I think I may have to resort to firewalling access to Plesk to a few IPs as hiddenidentity suggests.. a bit of a pain just to pass the test.

If updating the PHP version isn't doable though Scott, I'll have to I guess. Thanks all.

[scott]

I know, Ive written vulnerability scanners before. The better question is what is the vulnerability in 5.2.3 and is it something that applies to the application. This is what we call a "mitigated vulnerability".

[breun]

If you'd install a plain copy of RHEL 5 and completely update it, you'd be running PHP 5.1.6. The PCI scanner might be telling you to upgrade to the latest version, but the truth is that that 5.1.6 is PHP 5.1.6 plus backported fixes. So any security fixes applied to later versions of PHP are backported to the RHEL package. Read http://www.redhat.com/security/updates/backporting/ for more info. Would running Red Hat's package that also result in non-PCI compliance?

[jadjei]

I'm being allowed to defend the use of PHP 5.2.3. I've researched all the vulnerabilities they list and have noted redhat's stance on them and specific measures taken in our setup.

One of the issues required a fix which was backported into the latest Enterprise Linux PHP 5.1.6. I'm wondering now how I can tell whether the version Plesk used has the backported fixes...?

PHP released 5.2.3 - 2007-05-31
Redhat released their fix - 2007-09-20
I'm using the latest Plesk 8.3 on CentOS 4.6

Thanks already for all your help.

[Highland]

Plesk updates its own copy of PHP whenever there is a new version released. If there was a serious problem with 5.2.3 that left Plesk vulnerable they would probably put out a new release (ie PSA 8.3.1) to deal with it and upgrade their PHP that way.

[jadjei]

Sounds a pretty likely assumption.. I'm just not sure the PCI people will be happy unless they're told for definite.

[scott]

If you're using ASL, you can reference its compensating controls against vulnerabilities found in a PCI audit. Just contact support about the findings from the audit so we can give you the specific things to reference.

[jadjei]

Yup.. I've got 2 ASL subscriptions so that's great Scott, thanks. If they're not satisfied with what I've just sent them, I'll come back to you.

[jadjei]

Thanks to all for your help again. We got granted with PCI compliance so my clients are happy .