Why mod_perl and mod_python Apache modules are not installed by default in Plesk 12.5

Created:

2016-11-16 13:06:17 UTC

Modified:

2017-08-09 10:48:04 UTC

1

Was this article helpful?


Have more questions?

Submit a request

Why mod_perl and mod_python Apache modules are not installed by default in Plesk 12.5

Applicable to:

  • Plesk 12.5
  • Plesk Onyx for Linux

Information

Starting from Plesk version 12.5, the following changes are made in terms of Apache modules included into typical installation set:

  1. mod_perl and mod_python are not included

  2. system mod_php still included, but disabled by default

It was done for security reasons and takes place only on the latest OS versions - Ubuntu 14.0, Debian 8, CentOS7, RHEL7. Moreover, other Apache modules' support is considered to be dropped in the next Plesk releases.

Why using these Apache modules on shared hosting is insecure

  1. File security . mod_php , mod_perl and mod_python run under the identity of Apache server itself, and therefore scripts executed by these engines potentially can access anything the server user can. For example, files containing highly confidential personal data can be read by a script from another domain.

  2. Security of database connections . DBI connections of other users can be hijacked, and since all users can read each other's code, database usernames and passwords are visible to every user.

  3. Potential system compromise due to security issues in Apache code (is can be resolved by using jail or chroot mechanisms).

Which options to use Perl and Python remain

By default, Python and Perl are handled by FastCGI ( mod_fcgid module). For Python, it is also possible to use Application server (this option is described in this article )

Note : if your application is designed for using with mod_perl or mod_python , updating its code can be required.

Additional information

Apache 2.4 Security Tips

Have more questions? Submit a request
Please sign in to leave a comment.