AnsweredAssumed Answered

QID 12722 - PHP Session Fixation Vulnerability

Question asked by Stevie Beck on Oct 22, 2013

Does anybody know, how QID 12722 is detected by Qualys-VM?

 

As this QID is flagged as a "potential vulnerability" only, Qualys-VM may only look at the PHP version in use. However, this is even challenging as PHP does not specifically address the 5.4.x versions that may contain the fix,

It only mentions the fix available in 5.5.x starting with 5.5.2 (www.php.net/ChangeLog-5.php).

What about 5.4.x: is it fixed in 5.4.17 (as the NVD site suggests: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4718) or in 5.4.18 (as this version was released in sync with 5.5.2), or even not at all in the 5.4.x line...?

Outcomes