Acunetix allowed us to identify some major vulnerabilities before hackers were able to exploit them. This has made Sendy a far more secure application and hugely reduced the risk of us being breached.
Sendy is a self hosted email newsletter application designed to send trackable emails via Amazon Simple Email Service (SES), thus making it possible to send authenticated bulk emails at a lower cost in comparison with other popular online services. The requirements for use are Apache servers using a Unix-based operating system, running PHP and MySQL. With thousands of users worldwide, including large companies hosting the Sendy application on their own networks, it is of vital importance that vulnerabilities are kept in check, since these could have implications for millions of subscribers, in addition to the users of the application.
Since Sendy is a user-hosted largely open-source application, it would be easy for hackers to locate vulnerabilities in the scripts. The implications for users could be as severe as any hack, meaning their sensitive data could be stolen, whereas for Sendy as a provider it could mean loss of customer trust and therefore seriously damaging their reputation and position in the market.
Acunetix located a number of vulnerabilities in Sendy’s source code, the majority being major SQL Injection and Cross Site Scripting (XSS) vulnerabilities, which are frequently exploited by Hackers. SQL Injection could be used to access the Sendy database, allowing the hacker to, for example, steal the list of users. It could also be used to compromise the server running the application. The Cross Site Scripting (XSS) vulnerability, on the other hand, could be used to steal the cookies of the Sendy administrator, allowing the attacker full control of the Sendy application.
Acunetix technology AcuSensor, was used during the scan on Sendy which revealed additional information about the vulnerabilities, such as the SQL query that was used to detect the vulnerability. In addition, through AcuSensor, it was possible to detect the line of code causing the vulnerability from the source files affected. It also didn’t report any false positives which made work to fix the vulnerabilities much quicker. The increased accuracy is achieved by combining black box scanning techniques with feedback from sensors placed inside the source code while the source code is executed.
As with any software or application, updating to the latest version is essential in ensuring security. The vulnerabilities found in Sendy have now been fixed, so updating the application will ensure there are no vulnerabilities on your machine (at least not in Sendy).
Sendy is an independent software founded by Ben Ho from Hex in Singapore. Hex, founded by Ben Ho and Melly Fong in 2007 started out providing web design and development services until Sendy took over the main business in 2012.
"The company needed a ‘digital fortress’ to protect the private/personal information and monitor any security vulnerabilities ongoing. Acunetix is instrumental in massively reducing online risk – making sure there are no black holes which could be exploited"
Anthony Sinclair Managing Director"The issues detected were of major impact, if users/hackers would have found the security holes, they could have hacked an entire Joomla! site."
Robin Muilwijk Quality and Testing Team"Acunetix is used in a complementary way with other Web Scanners to achieve the best vulnerability detection coverage possible"
Nicolas Pougetoux Manager of the Audit Department