Changelogs

Acunetix Standard & Premium

RSS Feed

v10.0.20150820 - 20 Aug 2015

Copy Link Copy Link
Build v10.0.20150820 - 20th August 2015

New Features

  • Added a test for Server-Side Template Injection vulnerability.
  • Added tests for new WordPress (core and plugins) vulnerabilities.
  • Added a test checking for Django Debug Mode

Improvements

  • Improved CRLF injection/HTTP response splitting tests
  • Improvements to the XSS testing script
  • Updated Payment Card Industry (PCI) report to PCI 3.1
  • Updated DISA Application Security and Development STIG report to V3R10
  • LSR updated to support all SSL cipher suites

Bug Fixes

  • Fixed a crash in WSDL scanner
  • Various updates and fixes in the Login Sequence Recorder
  • DeepScan blocks on a specific sites
  • Fixed bug in Scan wizard
  • Crash in Scan wizard when choosing a non-existent login sequence file name
  • Crawler starturl was incorrectly set to http instead of https when importing from proxy log

v10.0.20150623 - 24 Jun 2015

Copy Link Copy Link
Build v10.0.20150623 - 24th June 2015 - NEW VERSION

New Features

v9.5.20150119 - 20 Jan 2015

Copy Link Copy Link
Build v9.5.20150119 - 20th January 2015

New Features

  • Added a test for WordPress 3 Persistent Script Injection
  • Added multiple tests looking for User controllable tag parameter (like link href)
  • Added various tests for ASP.NET version disclosure, ASP.NET MVC version disclosure, Microsoft IIS version disclosure.

Improvements

  • Upgraded to a newer version of OpenSSL
  • Improved the script looking for XSS vulnerabilities
  • Improved the script looking for URL redirect issues
  • Improved the script testing for SQL injections

Bug Fixes

  • Fixed parsing issues for specific formatted links
  • Fixed issue causing invalid files to be locked after drag-n-drop opening operation fails
  • Crawler was aborting too early if many files were identified during the crawl
  • If AcuSensor listed too many files at the beginning, crawler was stopping without actually crawling
  • Fixed a memory leak

v9.5.20141120 - 20 Nov 2014

Copy Link Copy Link
Build v9.5.20141120 - 20th November 2014

Improvements

  • Improved TLS support
  • Introduced support for HTTP pipelining
  • Minor bug fixes

v9.5.20140902 - 02 Sep 2014

Copy Link Copy Link
Build v9.5.20140902 - 2nd September 2014

New Features

  • Implemented a test for format strings vulnerabilities in web applications
  • Implemented support for Hibernate Query Injection
  • Implemented a check for MySQL username disclosure in error messages
  • Implemented a test looking for vBulletin 5 SQL injection
  • Implemented detection of Multiple Vulnerabilities in Parallels Plesk Sitebuilder
  • Implemented a test looking for WordPress XMLRPC bruteforce
  • Implemented a test for Remote File Upload vulnerability in Mailpoet/Wysija newsletters popular WordPress plugin
  • Implemented a test for Insecure Nonce Generation in popular WordPress plugin WPTouch
  • Implemented a test looking for various JSP access restriction bypasses in Java web applications
  • Implemented detection of multiple vulnerabilities in Kunena Forum for Joomla
  • Implemented a test checking if applets are permitted when file uploads are possible (this will lead to XSS vulnerabilities)
  • Added a test for Java Debug Wire Protocol vulnerabilities
  • Added a test for Zabbix XXE
  • Added a test looking for Weblogic console default credentials
  • Added a test for Symphony debugging console enabled
  • Added a test for some MongoDB vulnerabilities
  • Added a test looking for Chrome Logger information disclosure
  • Added a generic script looking for unsecured mail forms that could lead to spam
  • Added a test to check if ASP.NET Viewstate MAC is enabled
  • Implemented a test for WordPress/Drupal/… XML quadratic blowup denial of service attack
  • Added a test looking for HTML injection with unterminated tag
  • Added a test for WordPress plugin Custom Contact Forms.

Improvements

  • Various optimisations to Amazon S3 related scripts such as XXE and SSRF
  • Improved the script looking for possible sensitive files
  • XSS script can now find less common XSS variants such as double encode payloads
  • SQL injection script checks for other variants such as SQL injection in order by, group by
  • XSS script now checks for many user controllable tag attributes
  • Various optimizations in the generation of reports
  • Improved Server Directory Traversal script
  • Improved Host Header Attack script

Bug Fixes

  • Fixed JS errors that appear in HTTP editor.
  • Restricted links matching was not working in some situations.
  • Fixed the slow response time alert – moved alert details from description.
  • Fixed a false positive with Struts2_Development_Mode script.
  • Auto login crash if requests were failing after a long time.
  • Existing cookies from manual browsing were ignored by crawler.
  • Reduced some false positives in Backup file reporting.
  • Login Sequence Recorder will delete the cookies it collected in the wizard.
  • Crawler will use cookies from LSR in manual mode.

v9.5.20140602 - 03 Jun 2014

Copy Link Copy Link
Build v9.5.20140602 - 3rd June 2014

New Features

  • Added a check for Open Flash Chart ‘ofc_upload_image.php’ Remote PHP Code Execution Vulnerability which affects various web applications including WordPress plugins, Joomla! components, piwik, and others
  • Added a test for Joomla! v3.2.2 SQL Injection vulnerability
  • Added a script which checks for various known Drupal vulnerabilities (in Drupal modules and Drupal core)
  • Added a test for SFTP/FTP credentials exposure. Various SFTP/FTP clients are storing connection credentials in plain text files (such as sftp-config.json, recentservers.xml, etc.) that are later uploaded on the web server
  • Added a test for “Same Site” Scripting
  • Added a test for Parallels Plesk SSO (Single sign-on) XXE (XML External Entity) and XSS (Cross-Site Scripting) vulnerabilities
  • Added a test for systems running PHP versions < 5.5.12, 5.4.28 (multiple vulnerabilities fixed in these versions including the Heartbleed bug affecting PHP)
  • Added a test looking if the Elasticsearch service is accessible
  • Added a test for Elasticsearch remote code execution
  • Added a test for nginx SPDY heap buffer overflow (CVE-2014-0133)
  • Added a test for Adobe ColdFusion 9 Administrative Login Bypass
  • Added a test for multiple vulnerabilities affecting Ioncube loader-wizard.php file
  • Added a test looking for Apache Roller OGNL Injectio
  • Added a test for Apache Tomcat JK Web Server Connector security bypass.
  • Added a test looking for XSS vulnerabilities in GWT Google Web Toolkit – CVE-2012-4563, CVE-2012-5920, CVE-2013-4204
  • Added detection of PHP framework CodeIgniter
  • Added a test that checks for server-side redirects from http:// to file://
  • Added a test looking for weak encryption keys in CodeIgniter-based web applications
  • Added a test looking for insecure Django strip_tags implementation
  • Added a test for JBoss Seam 2.3.1 Remoting Vulnerabilities
  • Added detection and a check for the latest version of Typo3 web application
  • Added a test looking for Adobe Cold Fusion directory traversal and information disclosure (CVE-2013-3336)
  • Added the following Cross Domain Data Hijacking vulnerability checks:
  • Added a test looking for Database connection strings information disclosure
  • Added a test for CodeIgniter <= 2.1.3 xss_clean() Filter Bypass
  • Added an alert for WordPress username enumeration
  • Added a test for ExtJS charts.swf XSS (distributed with Typo3)
  • Added a test for Ruby on Rails directory traversal (CVE-2014-0130)
  • Added a test for WordPress plugin All In One SEO Pack security vulnerabilities.

Improvements

  • Improved PHP version detection and OS detection
  • Improve existing ColdFusion checks
  • Improved SQL injection detection and added better error messages for IDM DB2 databases
  • Improved XXE testing, introduced more test-cases as per this document
  • Implemented server-name extension for TLS.

Bug Fixes

  • Fixed issue were links originating from XHR are invalidated
  • Fixed issues when inserting data in the reporting database
  • Fixed issue with Invalid report dates when Microsoft Access is used for the Reporting database
  • Web service editor didn’t used updated proxy settings
  • HTTP editor – alert boxes not loading on Windows Server 2003 caused by Internet Explorer security restrictions
  • Corrected CVE classification
  • Fixed issue affecting some cases of crawl results from previous versions whereby the input method was not loaded properly
  • Fixed crawler crash when sitemap file is invalid
  • Apache_CN_Discover_New_Files.script script was double encoding URIs got from Apache
  • Fixed various issues caused when the scan is paused.

v9.5.20140505 - 05 May 2014

Copy Link Copy Link
Build v9.5.20140505 - 5th May 2014 - NEW VERSION

New Features

Improvements

  • Improved parsing of robots.txt
  • Various improvements to existing reports
  • Improved testing for SQL injection

Bug Fixes

  • Fixed a crash in crawler caused by memory corruption
  • Fixed a leak in the XML parser
  • Fixed a few false positives in the Expression Language Injection script

v9.0.20140313 - 13 Mar 2014

Copy Link Copy Link
Build v9.0.20140313 - 13th March 2014

New Features

  • Added a test for XSS on Apache HTTP Server 413 error pages via malformed HTTP method
  • Added a test for Joomla! v3.2.1 SQL Injection
  • Added a test looking for WEB-INF/web.xml backups (at directory level and at file level)

Improvements

  • Limited the maximum number of variations from HTML forms
  • Login Sequence Recorder will now skip recording automatic redirects
  • Improved automatic in-session detection (Login Sequence Recorder)
  • PHP AcuSensor – Added the ability to handle PHP5 Closures and improved handling of large data
  • Improved ELMAH Information Disclosure script to cover default installation locations
  • Improved ability to identify redirect variants in JavaScript code
  • Improvements to the Backup File Tests
  • Improvements to the Directory Traversal Tests
  • Improvements to the File Inclusion Tests
  • Added support for HSQL Error Messages
  • Improvements to the Possible Sensitive Directories Tests
  • Improvements to the Possible Sensitive Files Tests
  • Improvements to the URL Redirection script

Bug Fixes

  • Fixed a number of memory leaks
  • Fixed an issue causing the scan to hang caused by invalidated sessions
  • Fixed an issue causing the scan from crawler executed all tests twice
  • Fixed a crash in the Session Manager caused by invalid server dates
  • URL finder regex hanged on some basic inputs
  • EOutOfMemory exceptions during the execution of scripts will not cause WVS to crash. The scan will be stopped when such an exception is encountered
  • Fixed issue with false positives not being saved to disk when marked from the Vulnerability Information panel
  • Ignore external scripts feature in DeepScan was sometimes still processing external scripts

v9.0.20140206 - 06 Feb 2014

Copy Link Copy Link
Build v9.0.20140206 - 6th February 2014

New Features

Improvements

  • Scanning of WordPress sites has been made more efficient
  • Improved coverage of ASP.NET based websites
  • Improved XSS testing script

Bug Fixes

  • Fixed bug in the pagination of the Scheduler Web Interface
  • The Login Sequence Recorder was ignoring the maximum size HTTP option
  • Fixed an issue causing the crawler to create multiple entries of the same custom cookie.
  • Fixed a bug causing the HTTP sniffer to always listen on localhost
  • Fixed a bug in the console application preventing scanning from older saved crawl results.
  • Fixed a crash caused at start-up caused by the DeepScan agent not starting.
1 17 18 19 26