This new release of Acunetix Web Vulnerability Scanner version 8, build 20130416, includes new and improved vulnerability checks which target WordPress installations, web applications hosted on Amazon S3, various other web applications.

New Functionality

  • Added a test that enumerates valid WordPress usernames using various techniques.
  • Added a test for weak WordPress passwords for the usernames identified during the scan.
  • Added a test that identifies common WordPress plugins. For each plugin identified, Acunetix WVS will try to enumerate the plugin name, short description, installed version and latest version of the plugin. This information is shown in a Knowledge Base item.
  • Added a test that identifies Amazon S3 public buckets.
  • Added a test for the security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX (Adobe Vulnerability ID: APSB13-10; CVE-2013-1387, CVE-2013-1388)
  • Added a test looking for Apache Tomcat SessionExample servlet that can allow session manipulation.
  • Added a test for Drupal Views Module Information Disclosure Vulnerability.
  • Added a test for Gallery v3.0.4 Remote Code Execution.
  • Added a test for Jenkins Dashboard (http://jenkins-ci.org/).
  • Added a test for Roundcube Webmail Security updates 0.8.6 and 0.7.3.
  • Added a test for WordPress 3.4.2 Cross Site Request Forgery.
  • Added a test looking for a Cross-Site Scripting vulnerability in older versions of jQuery which affected Drupal amongst others.
  • Added a test looking for SQL Injection in Symphony v2.3.1 (CVE-2013-2599)

Improvements

  • Client Script Analyser: Optimized script source retrieval (modernizr-2.5.3.js)
  • Improved XSS in URI script to test for Apache Tomcat Path Parameters.
  • Improved WordPress Pingback Scanner test.
  • Improved Blind SQL Injection script.
  • Improved Crossdomain_XML script.
  • Improved Directory Traversal script.
  • Improved Error_Message script.
  • Improved URL redirection script.
  • Improved XSS testing script.
  • The amount of input schemes has been reduced for known applications, improving the scan performance for such web applications.

Bug Fixes

  • Fixed an issue which caused false positives to occasionally show up in the report for Scheduled Scans.
  • Better handling for META http-equiv=”refresh” tags by the Crawler.
  • Fixed an issue in error_messages_helpers.inc script.
  • Fixed a minor bug in the Scheduler UI (Bug ID: 364)
  • North and South Korea are now correctly identified in the Product Activation Wizard.
  • Scans were sporadically entering a loop when scanning certain sites using a login sequence and the CSRF check was enabled.
  • WebApps scripts were being invoked even though they were excluded in the scanning profile

How to Upgrade

When you start Acunetix WVS 8, you will be notified that a new build is available to download. Navigate to the General > Program Updates node in the Tools explorer, click on Download and Install the new build.

You can see the complete Acunetix WVS change log here.

Make sure you keep up to date with the latest website security and Acunetix news by reading the Acunetix Blog, taking part on the Acunetix Facebook Page, and following us on Twitter.

 

SHARE THIS POST
THE AUTHOR
Nicholas Sciberras
Principal Program Manager
As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.

Comments are closed.