PCI Scan – Plesk PHP easter egg issue

If your PCI scan reports the following:

Port: 8443

Synops is: The configuration of PHP on the remote host allows disclosure of sensitive
information.

Description: The PHP install on the remote server is configured in a way
that allows discloure of potentially sensitive information to an attacker through a
special URL. Such an URL triggers an Easter egg built into PHP itself. Other such
Easter eggs likely exist, but SMetrics has not checked for them. See also:

http://www.0php.com/php_easter_egg.php
http://seclists.org/webappsec/2004/q4/324

Solution: In the PHP configuration file, php.ini, set the value for ‘expose_php’ to ‘Off’ to disable this behavior. Restart the web server daemon to put this change into effect.

Risk Factor: Medium / CVS S
Base Score: 5.0 (CVS S 2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
Other references: OS VDB:12184 (46803)

Now there solution is set the value for ‘expose_php‘ to ‘Off‘ in php.ini so you would think changing expose_php in /etc/php.ini would work. No, if you notice the port above it is complaint about plesk (8443) and until now I did not know plesk had it’s own php.ini file.

So if you edit:

vi /usr/local/psa/admin/conf/php.ini

and set

expose_php = Off

And then restart plesk

service psa restart1

8443, easter egg, PCI, Plesk

//-->

Print article

This entry was posted by PB on June 25, 2010 at 10:03, and is filed under PCI. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site.

Related Posts
Trackbacks (1)
Comments (0)

No comments yet.

PCI Compliance for Plesk (linux)

Table ‘mysql.servers’ doesn’t exist

about 1 year ago - No comments

If you have ever had the error message “Table ‘mysql.servers’ doesn’t exist” when you have tried to delete a database or a domain with a database attacked within plesk, error below (DB names masked out for security) then luckily there is an easy fix which does require you being able to SSH onto your server: More >

Upgrading PHP on a windows plesk server

about 1 year ago - No comments

PHP comes pre-installed along with Plesk on a windows server, and by default, PHP only gets upgraded as new versions of Plesk are released. Unfortunately the release cycle of the Plesk Control Panel does not keep pace with that of PHP, so the result is that VPS / VDS Containers are often running versions of More >

Upgrading BIND on a plesk windows server

about 1 year ago - 1 comment

If you want to manually upgrade the version of BIND running on your plesk windows server then follow the following steps: Check what version of bind you are currently running by going to the Components Management in plesk, you should see something like the following: Go to LINK and download desirable version of BIND for More >

How to configure Microsoft IIS to not accept SSLv2 connections

about 1 year ago - No comments

Had this pop up on a PCI scan on one of the windows servers I look after with a plesk control panel. The report was moaning about SSLv2 being enabled, below is the actual report This SSL service supports SSLv2 connections. SSLv2 has known cryptographic weaknesses that can lead to the compromise of data encrypted More >

Check SSL certificate expiration and other information

about 1 year ago - 2 comments

Check SSL certificate expiration and other information openssl is the handest tool to check SSL information and this command is available on most Linux systems. Getting the information is a simple one-line command, invoking openssl twice — one time to connect and the other to parse the certificate and show you the data: openssl s_client More >

Increase maximum number of addesses that can be added to the Spamassassin White or Black list

about 1 year ago - No comments

You may get the following error message Warning: Only 100 first unique e-mail addresses will be added. Since Plesk Control Panel version 8.4.0 you may configure maximum number of addresses that can be added to the Spamassassin While or Black lists through the control panel. It is variable psa.misc.spamfilter_max_addr_list_length in Plesk database, 100 addresses are More >

Running a .vbs file as a Schedule task in plesk

about 1 year ago - No comments

This took me a bit of time to work out but if you are trying to run a scheduled task in Plesk (Windows) that launches a .vbs file then you need to do the following: In Path to executable file you need to enter the path to csripts.exe, for example: c:\windows\system32\cscript.exe Then in Arguments you More >

PCI Compliance Expect Header Cross-Site Scripting Vulnerability (8443, plesk)

about 1 year ago - 3 comments

PCI compliance Expect Header Cross-Site Scripting Vulnerability If you get the following warning in a PCI scan: Security warning found on port/service “pcsync-https (8443/tcp)” Plugin “Expect Header Cross-Site Scripting Vulnerability” Category “CGI abuses : XSS ” Priority “Medium Priority “Synopsis : The remote web server is vulnerable to a cross-site scripting attack. Description : The More >

Resync the IIS anonymous username and password on my Plesk server (windows)

about 2 years ago - No comments

When trying to access your domain, you are receiving a login prompt for a username and password. If you click ‘cancel’ on this prompt, you will receive the following HTTP error: HTTP Error 401.1 – Unauthorized: Access is denied due to invalid credentials. Internet Information Services (IIS) This indicates that the anonymous username and password More >

Usefull Plesk SQL Statements

about 2 years ago - No comments

FTP ACCOUNTS SELECT account_id AS ‘ID’, login AS ‘USERNAME’, password AS ‘PASSWORD’, home AS ‘HOMEDIR’ FROM sys_users S, accounts A WHERE S.account_id = A.id; MAIL ACCOUNTS For all Domains SELECT account_id AS ‘ID’, mail_name AS ‘USERNAME’, password AS ‘PASSWORD’, postbox as ‘MAILBOX?’, name AS ‘DOMAIN’, redir_addr as REDIRECT FROM mail M, domains D, accounts A More >

PCI Scan – Plesk PHP easter egg issue

vi /usr/local/psa/admin/conf/php.ini

expose_php = Off

service psa restart1

Related Posts

No comments yet.

Table ‘mysql.servers’ doesn’t exist

Upgrading PHP on a windows plesk server

Upgrading BIND on a plesk windows server

How to configure Microsoft IIS to not accept SSLv2 connections

Check SSL certificate expiration and other information

Increase maximum number of addesses that can be added to the Spamassassin White or Black list

Running a .vbs file as a Schedule task in plesk

PCI Compliance Expect Header Cross-Site Scripting Vulnerability (8443, plesk)

Resync the IIS anonymous username and password on my Plesk server (windows)

Usefull Plesk SQL Statements

Search

Links

Tag Cloud

Categories

Password Generator

Popular Posts

My Sites

Friends Sites