Acunetix Standard & Premium

New Features and Vulnerability tests

• New test for WordPress Arbitrary File Deletion Vulnerability described here and here (CVE-2018-12895)
• Added detection of vulnerabilities in the following wordpress plugins:
  • Advanced Order Export For WooCommerce (CVE-2018-11525)
  • WordPress Comments Import & Export (CVE-2018-11526)
  • iThemes Security (formerly Better WP Security) (CVE-2018-12636)
  • ChimpMate-WordPress MailChimp Assistant
  • FireDrum Email Marketing
• New test for Joomla! Core Local File Inclusion (CVE-2018-12712)
• New test for Joomla! Core Cross-Site Scripting (CVE-2018-12711)

Fixes

• Fixed issue with NTLM HTTP Authentication
• Fixed issue causing some pages not to load correctly in the LSR
• Fixed 2 false positives for “User controllable charset” and “User controllable script source”
• Fixed issue in handling HAR import files

Updates

• More improvements to Web Application Detection
• Reports not show if a scan has failed

Fixes

• Scanner was not parsing all AcuSensor data, causing some vulnerabilities not to be reported when AcuSensor is used
• Some reqeusts to HTTPs sites were being downgraded to HTTP

Updates

• DeepScan has been updated to ignore images resulting in faster scans

Fixes

• Excluded paths not taken into consideration
• Parts of the scan were not using the Custom 404
• Some paths where not identified correctly

New Features

• New faster Engine
• Scans can now be Paused and Resumed
• Targets can be imported from CSV
• New JAVA AcuSensor
• Support for latest JavaScript (ES6 and ES7) in DeepScan and Login Sequence Recorder
• Configurable Password Policies including Password History, Auto Password Expiry and Account Lockout
• 2 Factor Authentication in the Acunetix UI
• Exclude what to scan directly from Crawl results or previous scans

Updates and Fixes

• Too many to enumerate
• Multiple updates to the vulnerability checks

New Features and Vulnerability Tests

• Added support for Selenium scripts as Target Import files
• Introduced various vulnerability checks for CMS Made Simple including:
  • PHP Remote File Inclusion (RFI) in version 0.10 (CVE-2005-2846)
  • SQL Injection in version 1.0.5 and earlier (CVE-2007-2473)
  • Directory Traversal in version 1.8.1 and earlier (CVE-2010-2797)
  • Web Server Cache Poisoning in versions 2.1.3 and earlier and 1.12.2 and earlier (CVE-2016-2784)
  • Cross Site Request Forgery (CSRF) in version 2.1.6 and earlier (CVE-2016-7904)
  • Cross Site Scripting (XSS) in version 2.1.6 and earlier (CVE-2017-6555)
  • Cross Site Scripting (XSS) in version 2.1.6 (CVE-2017-6556)
  • Local File Inclusion in version 2.1.6 and earlier

Improvements

• Various minor UI updates
• Improved handling of aborted scans for Targets with Continuous scanning enabled
• Increased Custom Cookie size limit from 512 bytes to 10Kb (2Kb for Acunetix Online)
• Added new email templates
• Email notification now indicates if a scan has failed
• Multiple minor updates to the reports
• Updated the Error Message script to show full JAVA error messages
• Tech Admin role can now create and alter Scan types.

Fixes

• Scan Comparison was incorrectly switching the order of the scans
• Scan Comparison was incorrectly comparing with Allowed host
• Fixed bug in the licensed user limit
• Fixed bug causing scans to fail when the LSR contains Unicode characters
• Multiple fixes in XML export
• Multiple fixes in F5 WAF rules export
• Fixed 2 minor security issues in web interface
• 2 fixes affecting incorrect vulnerability count in Dashboard
• Fixed the retesting of vulnerabilities for Targets requiring manual intervention
• Fixed the Targets page incorrectly showing that the Target is being scanned, when an ongoing scan is deleted.