Vesta Control Panel - Forum

I've been trying to pass my PCI-DSS standard with my credit card company and because VestaCP uses an internal version of PHP (v5.4.45) I'm not able to pass this scan.

My server information is as follows:
Ubuntu 14.04, running apache2.
I have VestaCP v0.9.8 - release16

I've noticed that VestaCP is using: 5.4.45 exclusively, even though I don't have PHP5 installed on my server and I currently have PHP7.

Not sure what other information you would need, however I'm looking for a solution to either have VestaCP use the server version of PHP (currently v7.0.12-1) or how to upgrade the internal version of VestaCP (within: /usr/local/vesta/php/) to a more up-to-date version.

Many thanks in advance.

Not sure if it works for you, but if your application is using apache, it might be necessary to enable the new php version.


Make PHP 7 the standard version:

check


If it shows your old version (your case 5.4), do this => disable the php5 module:
then, enable the php7 module:
If you get some errors about the module not being installed:

ERROR: Module php7 does not exist!

try this:


Next, reload/restart the Apache service:
Check the active PHP version now:
It should show PHP 7.0 ....




I had to take some steps as well to enable PHP 7 on my Debian server, see http://forum.vestacp.com/viewtopic.php?f=11&t=13053

You only need a PCI Compliance Audit on your Website if you STORE Credit Card numbers in your website/DB in someway... You do not need it if you are using a payment gateway like stripe/authorize.net or similar that only require your to have SSL, and not being PCI compliant.

To be on the safer side, you should not store Credit Card Data in your application at all.
Compliance may not be issued for a VPS.. but to a dedicated box only and is not just for your Server alone, your HW Firewall, Data Centre need to be PCI compliant as well. Cases vary... but why take the hassle and risk if it is easy to use a Payment gateway to do the heavy lifting for you

We already updated the php version.
php -v
PHP 7.0.12-1+deb.sury.org~trusty+1 (cli) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
with Zend OPcache v7.0.12-1+deb.sury.org~trusty+1, Copyright (c) 1999-2016, by Zend Technologies

But Vesta CP is using an internal php which is in folder: /usr/local/vesta/php/ and this php version is 5.4.45
/usr/local/vesta/php/bin/php -v
PHP 5.4.45 (cli) (built: Nov 6 2015 18:40:30)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies

Do you have any idea how can we update this php too?

Thank you

I see.

Well, honestly i dont understand why you would want to do that since any web application you're using will be depending on either PHP-FPM or Apache, both of which use your systems PHP version (when enabled in the respective configuration files off course). You can find out your systems (global) version by just typing php -v:

Are you using apache? If so, did you dismod & enmod the right php version?

Anyways, if you really want to change it you will have to do some manual editing i guess, and find all the files under the /usr/local/vesta path that use this hardcoded old version, like:
Kind regards,

Richard

Yes, you are right. Other applications are using PHP7, only the VestaCP is using PHP5.
We are using apache2 but the VestaCP is using it's own nginx webserver (/usr/local/vesta/nginx/) which is running on port 8083.

We are running a PCI Scan and in the report we have a problem:
"Port: tcp/8083
Remote attacker can cause a denial of service by providing crafted XML document and triggering wddx_deserialize function call from WDDX extension (wddx.c file). PHP versions before 5.5.33 (for PHP 5.5.x and lower) and 5.6.19 (for PHP 5.6.x branch) are vulnerable."
This is the reason why we want to upgrade this PHP.
And for this command egrep -ir --include=*.{php,html,js} "(\/usr\/local\/vesta\/php\/)" . I did not receive any results.

Thank you

which closes it running on 8083
and block also block 8083 in your firewal

This will get you through for the moment...

You should run that command from the /usr/local/vesta/ folder.

Also, keep in mind that any change might revert back with every update of VestaCP.

Do you know if/when VestaCP plans on updating PHP to be more current or perhaps having a button in the control panel to use internal or server version of PHP?

seventhstar wrote:Do you know if/when VestaCP plans on updating PHP to be more current or perhaps having a button in the control panel to use internal or server version of PHP?

A few versions from now, I hope.
I think, it'll be better if you restrict via firewall access to VestaCP.