v10.5.20160510 - 10 May 2016
Copy Link
Copy Link
Update v10.5.20160510 - 10th May 2016
New Features
- New check for WordPress 4.5.2 Security Release
v10.5.20160504 - 05 May 2016
Copy Link
Copy Link
Build v10.5.20160504 - 5th May 2016
Improvements
- Updated the PCI DSS compliance report for PCI DSS 3.2
- Updated the NIST Special Publication 800-53 – Recommended Security Controls for Federal Information Systems compliance report to comply with revision 4 of the publication
Bug Fixes
- Fixed a bug that could result in remote code execution
v10.5.20160427 - 27 Apr 2016
Copy Link
Copy Link
Build v10.5.20160427 - 27th April 2016
New Features
- New version of .NET AcuSensor (requires removal of the sensors installed in the web applications – check this blog post for more info)
- Implemented a test looking for JSP source code disclosure via SOH (start of header)
- Added a script for parsing specific Java error messages to improve crawling coverage and discover new content.
Improvements
- Improved backup config files discovery
- Request cookies will now be automatically processed from proxy log requests and used during a scan
- The Crawler now processes untrusted URLs even if they do not belong to the host being scanned.
Bug Fixes
- Fixed a number of false positives in the SQL injection vulnerability checks
- Limit AST parsing to files smaller than 1Mb
- Fixed an SQL injection vulnerability in the reporter.
v10.5.20160302 - 02 Mar 2016
Copy Link
Copy Link
Update v10.5.20160302 - 2nd March 2016
New Features
- New Vulnerability check for DROWN attack – CVE-2016-0800
- New vulnerability checks for Rails remote code execution using render :inline – CVE-2016-2098
- New vulnerability checks for various AmCharts SWF XSS vulnerabilities
- New vulnerability checks for vulnerabilities in Google Referrer search query
- New vulnerability checks for Adobe Flex 3 DOM-based XSS vulnerability and other Adobe Flex vulnerabilities.
v10.5.20160215 - 16 Feb 2016
Copy Link
Copy Link
Build v10.5.20160215 - 16th February 2016
New Features
- Implemented support for automatically scanning Drupal and Joomla! web applications using a proprietary database of vulnerabilities
- Implemented support for CVSS v3.0 for most vulnerabilities
- Added a test for HTTP Response Splitting in Node.js (CVE-2016-2216)
- Added a test for Magento Cacheleak vulnerability
- Added a test looking for ASP.NET diagnostic pages
- Implemented a test looking for XXE (XML External Entity injection) in SAML (Security Assertion Markup Language) payloads
- Added a test for vulnerabilities presented in the Perl Jam 2 presentation
- Added a test for Atlassian Jira 6.0.* <= 6.1.4 DOM-based XSS
- Added a test for AngularJS client-side template injection
- Added a test for Rails Dynamic Render to RCE (CVE-2016-0752)
- Added a test looking for LiteSpeed request header injection
- Added a test for Path Traversal in Oracle GlassFish Server Open Source Edition
- Parse Javascript files using an Abstract Syntax Tree Parser to extract various information useful for the crawler.
Improvements
- Improved Blind and Error-based SQL injection tests
- Improved XSS tests
- Big improvements to the XXE (XML External Entity) tests
- Improved static crawling by parsing of JavaScript event handler parameters.
- Improve Email header injection test based on the paper from http://www.mbsd.jp/Whitepaper/smtpi.pdf
v10.0.20151125 - 26 Nov 2015
Copy Link
Copy Link
Build v10.0.20151125 - 26th November 2015
New Features
- Added a test looking for insecure CORS configurations.
- Added a test looking for CVE-2014-7829 – Arbitrary file existence disclosure in Action Pack.
- Added a test looking for Rails application running in development mode.
- Added a test looking for CVE-2015-7808 vBulletin 5 PreAuth RCE.
- Added a test looking for Insecure DNS records
- Added a test looking for Spring Boot Actuator
- Added a test looking for Tornado Debug mode
- Added a test looking for Pyramid Debug mode
- Implemented PHP object deserialization of user-supplied data
- Added a test looking for older versions of the ZeroClipboard SWF library that are vulnerable to a cross-site scripting vulnerability.
Improvements
- Updated WordPress plugins and WordPress core checks.
- Improved tests for possible sensitive directories and sensitive files.
- Improved Apache Axis audit script.
- Added a test for Java object deserialization of user-supplied data
- Various improvements for XSS detection.
- Improved HTML structural parser and added allow to robots.txt parser
- Added support for WADL files when served using
content-type application/vnd.sun.wadl+xml
Bug Fixes
- Fixed crash cause during auto session detection.
- Security fix for privilege escalation reported by security researcher Daniele Linguaglossa
v10.0.20151028 - 28 Oct 2015
Copy Link
Copy Link
Build v10.0.20151028 - 28th October 2015
Improvements
- Improved the description for all the vulnerability checks in Scanning Profiles
v10.0.20151026 - 26 Oct 2015
Copy Link
Copy Link
Build v10.0.20151026 - 26th October 2015
Bug Fixes
- Bug limiting the number of external hosts in kbase
- Fixed a issue which caused the scanner to crash
- Some script dependencies could cause the scan to not finish
- Importer crash when user user cancels the importation
- Fixed syntax error affecting Chinese Windows
- Restrictions configured in LSR where not taken into consideration in some POST requests
v10.0.20150921 - 22 Sep 2015
Copy Link
Copy Link
Build v10.0.20150921 - 22nd September 2015
New Features
- Added a new test looking for development configuration files such as Vagrantfile, Gemfile, Rakefile and others
- Added a test for Insecure response with wildcard ‘*’ in Access-Control-Allow-Origin
- Added detection of Cross Site Scripting (XSS) in the mobile-touch event handlers
- Added a test for CVE-2015-5956 – Typo3 Core sanitizeLocalUrl() Non-Persistent Cross-Site Scripting
- Added a test looking for CVE-2015-5603: HipChat for JIRA plugin – Velocity Template Injection
- Added a test looking for vulnerable project dependencies by analyzing the contents of composer.lock
- Added a test for CVE-2015-5161 – XML eXternal Entity Injection (XXE) on PHP FPM (FastCGI Process Manager), affecting various versions of Zend Framework and ZendXML
- Added a test for CVE-2014-0114 – Class Loader Manipulation via Request Parameters affecting Apache Struts 1
- Added a test for CVE-2015-4670: Directory Traversal to Remote Code Execution in AjaxControlToolkit
- Added a test looking for sensitive files such as .mysql_history, .bash_history and others. Acunetix will verify the contents of these files to reduce false positives caused by custom 404s.
Improvements
- Updated database of WordPress core and plugin vulnerabilities.
- Added more checks for vulnerable JavaScript libraries.
- Improved WADL parsing to support more representation types.
Bug Fixes
- Fixed some false positives in JavaScript libraries audit.
- Fixed a false positive in File Inclusion script.
- Fixed an issue causing JSON and XML inputs not being checked for XSS.
- Fixed SSL audit bug that is triggered when server_name extension was not sent to the server during SSL negotiation.