v10.0.20151028 - 28 Oct 2015
Copy Link
Copy Link
Build v10.0.20151028 - 28th October 2015
Improvements
- Improved the description for all the vulnerability checks in Scanning Profiles
v10.0.20151026 - 26 Oct 2015
Copy Link
Copy Link
Build v10.0.20151026 - 26th October 2015
Bug Fixes
- Bug limiting the number of external hosts in kbase
- Fixed a issue which caused the scanner to crash
- Some script dependencies could cause the scan to not finish
- Importer crash when user user cancels the importation
- Fixed syntax error affecting Chinese Windows
- Restrictions configured in LSR where not taken into consideration in some POST requests
v10.0.20150921 - 22 Sep 2015
Copy Link
Copy Link
Build v10.0.20150921 - 22nd September 2015
New Features
- Added a new test looking for development configuration files such as Vagrantfile, Gemfile, Rakefile and others
- Added a test for Insecure response with wildcard ‘*’ in Access-Control-Allow-Origin
- Added detection of Cross Site Scripting (XSS) in the mobile-touch event handlers
- Added a test for CVE-2015-5956 – Typo3 Core sanitizeLocalUrl() Non-Persistent Cross-Site Scripting
- Added a test looking for CVE-2015-5603: HipChat for JIRA plugin – Velocity Template Injection
- Added a test looking for vulnerable project dependencies by analyzing the contents of composer.lock
- Added a test for CVE-2015-5161 – XML eXternal Entity Injection (XXE) on PHP FPM (FastCGI Process Manager), affecting various versions of Zend Framework and ZendXML
- Added a test for CVE-2014-0114 – Class Loader Manipulation via Request Parameters affecting Apache Struts 1
- Added a test for CVE-2015-4670: Directory Traversal to Remote Code Execution in AjaxControlToolkit
- Added a test looking for sensitive files such as .mysql_history, .bash_history and others. Acunetix will verify the contents of these files to reduce false positives caused by custom 404s.
Improvements
- Updated database of WordPress core and plugin vulnerabilities.
- Added more checks for vulnerable JavaScript libraries.
- Improved WADL parsing to support more representation types.
Bug Fixes
- Fixed some false positives in JavaScript libraries audit.
- Fixed a false positive in File Inclusion script.
- Fixed an issue causing JSON and XML inputs not being checked for XSS.
- Fixed SSL audit bug that is triggered when server_name extension was not sent to the server during SSL negotiation.
v10.0.20150820 - 20 Aug 2015
Copy Link
Copy Link
Build v10.0.20150820 - 20th August 2015
New Features
- Added a test for Server-Side Template Injection vulnerability.
- Added tests for new WordPress (core and plugins) vulnerabilities.
- Added a test checking for Django Debug Mode
Improvements
- Improved CRLF injection/HTTP response splitting tests
- Improvements to the XSS testing script
- Updated Payment Card Industry (PCI) report to PCI 3.1
- Updated DISA Application Security and Development STIG report to V3R10
- LSR updated to support all SSL cipher suites
Bug Fixes
- Fixed a crash in WSDL scanner
- Various updates and fixes in the Login Sequence Recorder
- DeepScan blocks on a specific sites
- Fixed bug in Scan wizard
- Crash in Scan wizard when choosing a non-existent login sequence file name
- Crawler starturl was incorrectly set to http instead of https when importing from proxy log
v10.0.20150623 - 24 Jun 2015
Copy Link
Copy Link
Build v10.0.20150623 - 24th June 2015 - NEW VERSION
New Features
- New Login Sequence Recorder which supports Single-Sign-On (SSO) and OAuth-based authentication.
- Database of 1200 WordPress-specific vulnerabilities, including checks for WordPress core and popular WordPress plugins.
- Improved scanning of Java / J2EE web applications
- Improved scanning of Restful Web Services, including parsing of WADL files
- Improved scanning of web applications implemented in Ruby on Rails
- Detection of XML External Entity (XXE) via REST APIs
- Crawling a website can now be pre-seeded using HAR files and exports from Fiddler, Burp, Selenium and the Acunetix Sniffer
- Introduced the detection of links to websites known to host malware or used for phishing
- Improved support for WSDL-based web services by introducing support for
xsd:include,xsd:importandwsdl:import
v9.5.20150119 - 20 Jan 2015
Copy Link
Copy Link
Build v9.5.20150119 - 20th January 2015
New Features
- Added a test for WordPress 3 Persistent Script Injection
- Added multiple tests looking for User controllable tag parameter (like link href)
- Added various tests for ASP.NET version disclosure, ASP.NET MVC version disclosure, Microsoft IIS version disclosure.
Improvements
- Upgraded to a newer version of OpenSSL
- Improved the script looking for XSS vulnerabilities
- Improved the script looking for URL redirect issues
- Improved the script testing for SQL injections
Bug Fixes
- Fixed parsing issues for specific formatted links
- Fixed issue causing invalid files to be locked after drag-n-drop opening operation fails
- Crawler was aborting too early if many files were identified during the crawl
- If AcuSensor listed too many files at the beginning, crawler was stopping without actually crawling
- Fixed a memory leak
v9.5.20141120 - 20 Nov 2014
Copy Link
Copy Link
Build v9.5.20141120 - 20th November 2014
Improvements
- Improved TLS support
- Introduced support for HTTP pipelining
- Minor bug fixes
v9.5.20140902 - 02 Sep 2014
Copy Link
Copy Link
Build v9.5.20140902 - 2nd September 2014
New Features
- Implemented a test for format strings vulnerabilities in web applications
- Implemented support for Hibernate Query Injection
- Implemented a check for MySQL username disclosure in error messages
- Implemented a test looking for vBulletin 5 SQL injection
- Implemented detection of Multiple Vulnerabilities in Parallels Plesk Sitebuilder
- Implemented a test looking for WordPress XMLRPC bruteforce
- Implemented a test for Remote File Upload vulnerability in Mailpoet/Wysija newsletters popular WordPress plugin
- Implemented a test for Insecure Nonce Generation in popular WordPress plugin WPTouch
- Implemented a test looking for various JSP access restriction bypasses in Java web applications
- Implemented detection of multiple vulnerabilities in Kunena Forum for Joomla
- Implemented a test checking if applets are permitted when file uploads are possible (this will lead to XSS vulnerabilities)
- Added a test for Java Debug Wire Protocol vulnerabilities
- Added a test for Zabbix XXE
- Added a test looking for Weblogic console default credentials
- Added a test for Symphony debugging console enabled
- Added a test for some MongoDB vulnerabilities
- Added a test looking for Chrome Logger information disclosure
- Added a generic script looking for unsecured mail forms that could lead to spam
- Added a test to check if ASP.NET Viewstate MAC is enabled
- Implemented a test for WordPress/Drupal/… XML quadratic blowup denial of service attack
- Added a test looking for HTML injection with unterminated tag
- Added a test for WordPress plugin Custom Contact Forms.
Improvements
- Various optimisations to Amazon S3 related scripts such as XXE and SSRF
- Improved the script looking for possible sensitive files
- XSS script can now find less common XSS variants such as double encode payloads
- SQL injection script checks for other variants such as SQL injection in order by, group by
- XSS script now checks for many user controllable tag attributes
- Various optimizations in the generation of reports
- Improved Server Directory Traversal script
- Improved Host Header Attack script
Bug Fixes
- Fixed JS errors that appear in HTTP editor.
- Restricted links matching was not working in some situations.
- Fixed the slow response time alert – moved alert details from description.
- Fixed a false positive with Struts2_Development_Mode script.
- Auto login crash if requests were failing after a long time.
- Existing cookies from manual browsing were ignored by crawler.
- Reduced some false positives in Backup file reporting.
- Login Sequence Recorder will delete the cookies it collected in the wizard.
- Crawler will use cookies from LSR in manual mode.
v9.5.20140602 - 03 Jun 2014
Copy Link
Copy Link
Build v9.5.20140602 - 3rd June 2014
New Features
- Added a check for Open Flash Chart ‘ofc_upload_image.php’ Remote PHP Code Execution Vulnerability which affects various web applications including WordPress plugins, Joomla! components, piwik, and others
- Added a test for Joomla! v3.2.2 SQL Injection vulnerability
- Added a script which checks for various known Drupal vulnerabilities (in Drupal modules and Drupal core)
- Added a test for SFTP/FTP credentials exposure. Various SFTP/FTP clients are storing connection credentials in plain text files (such as sftp-config.json, recentservers.xml, etc.) that are later uploaded on the web server
- Added a test for “Same Site” Scripting
- Added a test for Parallels Plesk SSO (Single sign-on) XXE (XML External Entity) and XSS (Cross-Site Scripting) vulnerabilities
- Added a test for systems running PHP versions < 5.5.12, 5.4.28 (multiple vulnerabilities fixed in these versions including the Heartbleed bug affecting PHP)
- Added a test looking if the Elasticsearch service is accessible
- Added a test for Elasticsearch remote code execution
- Added a test for nginx SPDY heap buffer overflow (CVE-2014-0133)
- Added a test for Adobe ColdFusion 9 Administrative Login Bypass
- Added a test for multiple vulnerabilities affecting Ioncube loader-wizard.php file
- Added a test looking for Apache Roller OGNL Injectio
- Added a test for Apache Tomcat JK Web Server Connector security bypass.
- Added a test looking for XSS vulnerabilities in GWT Google Web Toolkit – CVE-2012-4563, CVE-2012-5920, CVE-2013-4204
- Added detection of PHP framework CodeIgniter
- Added a test that checks for server-side redirects from http:// to file://
- Added a test looking for weak encryption keys in CodeIgniter-based web applications
- Added a test looking for insecure Django strip_tags implementation
- Added a test for JBoss Seam 2.3.1 Remoting Vulnerabilities
- Added detection and a check for the latest version of Typo3 web application
- Added a test looking for Adobe Cold Fusion directory traversal and information disclosure (CVE-2013-3336)
- Added the following Cross Domain Data Hijacking vulnerability checks:
- Through file uploads,
- Through unsafe JSONP callback
- Through control over the top of the response page
- Added a test looking for Database connection strings information disclosure
- Added a test for CodeIgniter <= 2.1.3 xss_clean() Filter Bypass
- Added an alert for WordPress username enumeration
- Added a test for ExtJS charts.swf XSS (distributed with Typo3)
- Added a test for Ruby on Rails directory traversal (CVE-2014-0130)
- Added a test for WordPress plugin All In One SEO Pack security vulnerabilities.
Improvements
- Improved PHP version detection and OS detection
- Improve existing ColdFusion checks
- Improved SQL injection detection and added better error messages for IDM DB2 databases
- Improved XXE testing, introduced more test-cases as per this document
- Implemented server-name extension for TLS.
Bug Fixes
- Fixed issue were links originating from XHR are invalidated
- Fixed issues when inserting data in the reporting database
- Fixed issue with Invalid report dates when Microsoft Access is used for the Reporting database
- Web service editor didn’t used updated proxy settings
- HTTP editor – alert boxes not loading on Windows Server 2003 caused by Internet Explorer security restrictions
- Corrected CVE classification
- Fixed issue affecting some cases of crawl results from previous versions whereby the input method was not loaded properly
- Fixed crawler crash when sitemap file is invalid
- Apache_CN_Discover_New_Files.script script was double encoding URIs got from Apache
- Fixed various issues caused when the scan is paused.