Acunetix WVS v.10 (build 20150921) has been released. This new build checks for Cross Site Scripting in mobile-touch event handlers and for various vulnerabilities in products such as Composer, Zend Framework, AjaxControlToolkit and others. Below is a full list of updates.
New Features
- Added a new test looking for development configuration files such as Vagrantfile, Gemfile, Rakefile and others
- Added a test for Insecure response with wildcard ‘*’ in Access-Control-Allow-Origin
- Added detection of Cross Site Scripting (XSS) in the mobile-touch event handlers
- Added a test for CVE-2015-5956 – Typo3 Core sanitizeLocalUrl() Non-Persistent Cross-Site Scripting
- Added a test looking for CVE-2015-5603: HipChat for JIRA plugin – Velocity Template Injection
- Added a test looking for vulnerable project dependencies by analyzing the contents of composer.lock
- Added a test for CVE-2015-5161 – XML eXternal Entity Injection (XXE) on PHP FPM (FastCGI Process Manager), affecting various versions of Zend Framework and ZendXML
- Added a test for CVE-2014-0114 – Class Loader Manipulation via Request Parameters affecting Apache Struts 1
- Added a test for CVE-2015-4670: Directory Traversal to Remote Code Execution in AjaxControlToolkit
- Added a test looking for sensitive files such as .mysql_history, .bash_history and others. Acunetix will verify the contents of these files to reduce false positives caused by custom 404s.
Improvements
- Updated database of WordPress core and plugin vulnerabilities.
- Added more checks for vulnerable JavaScript libraries.
- Improved WADL parsing to support more representation types.
Bug Fixes
- Fixed some false positives in JavaScript libraries audit.
- Fixed a false positive in File Inclusion script.
- Fixed an issue causing JSON and XML inputs not being checked for XSS.
- Fixed SSL audit bug that is triggered when server_name extension was not sent to the server during SSL negotiation.
How to Upgrade
If you are running Acunetix Web Vulnerability Scanner v10, you will be notified that a new build is available to download when you start the application. Navigate to the General > Program Updates node in the Tools explorer, click on Download and Install the new build.
If you are running Acunetix WVS v8 or v9, you should follow the upgrade instructions available in the “Upgrading from a previous version of Acunetix Web Vulnerability Scanner” in the Acunetix WVS user manual.
You can see the complete Acunetix WVS change log here.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Principal Program Manager
