Changelogs

Acunetix Standard & Premium

RSS Feed

v9.5.20141120 - 20 Nov 2014

Copy Link Copy Link
Build v9.5.20141120 - 20th November 2014

Improvements

  • Improved TLS support
  • Introduced support for HTTP pipelining
  • Minor bug fixes

v9.5.20140902 - 02 Sep 2014

Copy Link Copy Link
Build v9.5.20140902 - 2nd September 2014

New Features

  • Implemented a test for format strings vulnerabilities in web applications
  • Implemented support for Hibernate Query Injection
  • Implemented a check for MySQL username disclosure in error messages
  • Implemented a test looking for vBulletin 5 SQL injection
  • Implemented detection of Multiple Vulnerabilities in Parallels Plesk Sitebuilder
  • Implemented a test looking for WordPress XMLRPC bruteforce
  • Implemented a test for Remote File Upload vulnerability in Mailpoet/Wysija newsletters popular WordPress plugin
  • Implemented a test for Insecure Nonce Generation in popular WordPress plugin WPTouch
  • Implemented a test looking for various JSP access restriction bypasses in Java web applications
  • Implemented detection of multiple vulnerabilities in Kunena Forum for Joomla
  • Implemented a test checking if applets are permitted when file uploads are possible (this will lead to XSS vulnerabilities)
  • Added a test for Java Debug Wire Protocol vulnerabilities
  • Added a test for Zabbix XXE
  • Added a test looking for Weblogic console default credentials
  • Added a test for Symphony debugging console enabled
  • Added a test for some MongoDB vulnerabilities
  • Added a test looking for Chrome Logger information disclosure
  • Added a generic script looking for unsecured mail forms that could lead to spam
  • Added a test to check if ASP.NET Viewstate MAC is enabled
  • Implemented a test for WordPress/Drupal/… XML quadratic blowup denial of service attack
  • Added a test looking for HTML injection with unterminated tag
  • Added a test for WordPress plugin Custom Contact Forms.

Improvements

  • Various optimisations to Amazon S3 related scripts such as XXE and SSRF
  • Improved the script looking for possible sensitive files
  • XSS script can now find less common XSS variants such as double encode payloads
  • SQL injection script checks for other variants such as SQL injection in order by, group by
  • XSS script now checks for many user controllable tag attributes
  • Various optimizations in the generation of reports
  • Improved Server Directory Traversal script
  • Improved Host Header Attack script

Bug Fixes

  • Fixed JS errors that appear in HTTP editor.
  • Restricted links matching was not working in some situations.
  • Fixed the slow response time alert – moved alert details from description.
  • Fixed a false positive with Struts2_Development_Mode script.
  • Auto login crash if requests were failing after a long time.
  • Existing cookies from manual browsing were ignored by crawler.
  • Reduced some false positives in Backup file reporting.
  • Login Sequence Recorder will delete the cookies it collected in the wizard.
  • Crawler will use cookies from LSR in manual mode.

v9.5.20140602 - 03 Jun 2014

Copy Link Copy Link
Build v9.5.20140602 - 3rd June 2014

New Features

  • Added a check for Open Flash Chart ‘ofc_upload_image.php’ Remote PHP Code Execution Vulnerability which affects various web applications including WordPress plugins, Joomla! components, piwik, and others
  • Added a test for Joomla! v3.2.2 SQL Injection vulnerability
  • Added a script which checks for various known Drupal vulnerabilities (in Drupal modules and Drupal core)
  • Added a test for SFTP/FTP credentials exposure. Various SFTP/FTP clients are storing connection credentials in plain text files (such as sftp-config.json, recentservers.xml, etc.) that are later uploaded on the web server
  • Added a test for “Same Site” Scripting
  • Added a test for Parallels Plesk SSO (Single sign-on) XXE (XML External Entity) and XSS (Cross-Site Scripting) vulnerabilities
  • Added a test for systems running PHP versions < 5.5.12, 5.4.28 (multiple vulnerabilities fixed in these versions including the Heartbleed bug affecting PHP)
  • Added a test looking if the Elasticsearch service is accessible
  • Added a test for Elasticsearch remote code execution
  • Added a test for nginx SPDY heap buffer overflow (CVE-2014-0133)
  • Added a test for Adobe ColdFusion 9 Administrative Login Bypass
  • Added a test for multiple vulnerabilities affecting Ioncube loader-wizard.php file
  • Added a test looking for Apache Roller OGNL Injectio
  • Added a test for Apache Tomcat JK Web Server Connector security bypass.
  • Added a test looking for XSS vulnerabilities in GWT Google Web Toolkit – CVE-2012-4563, CVE-2012-5920, CVE-2013-4204
  • Added detection of PHP framework CodeIgniter
  • Added a test that checks for server-side redirects from http:// to file://
  • Added a test looking for weak encryption keys in CodeIgniter-based web applications
  • Added a test looking for insecure Django strip_tags implementation
  • Added a test for JBoss Seam 2.3.1 Remoting Vulnerabilities
  • Added detection and a check for the latest version of Typo3 web application
  • Added a test looking for Adobe Cold Fusion directory traversal and information disclosure (CVE-2013-3336)
  • Added the following Cross Domain Data Hijacking vulnerability checks:
  • Added a test looking for Database connection strings information disclosure
  • Added a test for CodeIgniter <= 2.1.3 xss_clean() Filter Bypass
  • Added an alert for WordPress username enumeration
  • Added a test for ExtJS charts.swf XSS (distributed with Typo3)
  • Added a test for Ruby on Rails directory traversal (CVE-2014-0130)
  • Added a test for WordPress plugin All In One SEO Pack security vulnerabilities.

Improvements

  • Improved PHP version detection and OS detection
  • Improve existing ColdFusion checks
  • Improved SQL injection detection and added better error messages for IDM DB2 databases
  • Improved XXE testing, introduced more test-cases as per this document
  • Implemented server-name extension for TLS.

Bug Fixes

  • Fixed issue were links originating from XHR are invalidated
  • Fixed issues when inserting data in the reporting database
  • Fixed issue with Invalid report dates when Microsoft Access is used for the Reporting database
  • Web service editor didn’t used updated proxy settings
  • HTTP editor – alert boxes not loading on Windows Server 2003 caused by Internet Explorer security restrictions
  • Corrected CVE classification
  • Fixed issue affecting some cases of crawl results from previous versions whereby the input method was not loaded properly
  • Fixed crawler crash when sitemap file is invalid
  • Apache_CN_Discover_New_Files.script script was double encoding URIs got from Apache
  • Fixed various issues caused when the scan is paused.

v9.5.20140505 - 05 May 2014

Copy Link Copy Link
Build v9.5.20140505 - 5th May 2014 - NEW VERSION

New Features

Improvements

  • Improved parsing of robots.txt
  • Various improvements to existing reports
  • Improved testing for SQL injection

Bug Fixes

  • Fixed a crash in crawler caused by memory corruption
  • Fixed a leak in the XML parser
  • Fixed a few false positives in the Expression Language Injection script

v9.0.20140313 - 13 Mar 2014

Copy Link Copy Link
Build v9.0.20140313 - 13th March 2014

New Features

  • Added a test for XSS on Apache HTTP Server 413 error pages via malformed HTTP method
  • Added a test for Joomla! v3.2.1 SQL Injection
  • Added a test looking for WEB-INF/web.xml backups (at directory level and at file level)

Improvements

  • Limited the maximum number of variations from HTML forms
  • Login Sequence Recorder will now skip recording automatic redirects
  • Improved automatic in-session detection (Login Sequence Recorder)
  • PHP AcuSensor – Added the ability to handle PHP5 Closures and improved handling of large data
  • Improved ELMAH Information Disclosure script to cover default installation locations
  • Improved ability to identify redirect variants in JavaScript code
  • Improvements to the Backup File Tests
  • Improvements to the Directory Traversal Tests
  • Improvements to the File Inclusion Tests
  • Added support for HSQL Error Messages
  • Improvements to the Possible Sensitive Directories Tests
  • Improvements to the Possible Sensitive Files Tests
  • Improvements to the URL Redirection script

Bug Fixes

  • Fixed a number of memory leaks
  • Fixed an issue causing the scan to hang caused by invalidated sessions
  • Fixed an issue causing the scan from crawler executed all tests twice
  • Fixed a crash in the Session Manager caused by invalid server dates
  • URL finder regex hanged on some basic inputs
  • EOutOfMemory exceptions during the execution of scripts will not cause WVS to crash. The scan will be stopped when such an exception is encountered
  • Fixed issue with false positives not being saved to disk when marked from the Vulnerability Information panel
  • Ignore external scripts feature in DeepScan was sometimes still processing external scripts

v9.0.20140206 - 06 Feb 2014

Copy Link Copy Link
Build v9.0.20140206 - 6th February 2014

New Features

Improvements

  • Scanning of WordPress sites has been made more efficient
  • Improved coverage of ASP.NET based websites
  • Improved XSS testing script

Bug Fixes

  • Fixed bug in the pagination of the Scheduler Web Interface
  • The Login Sequence Recorder was ignoring the maximum size HTTP option
  • Fixed an issue causing the crawler to create multiple entries of the same custom cookie.
  • Fixed a bug causing the HTTP sniffer to always listen on localhost
  • Fixed a bug in the console application preventing scanning from older saved crawl results.
  • Fixed a crash caused at start-up caused by the DeepScan agent not starting.

v9.0.20140115 - 15 Jan 2014

Copy Link Copy Link
Build v9.0.20140115 - 15th January 2014

Improvements

  • WVS will warn user if the login sequence failed to make a successful login and disables the login steps.
  • Various improvements in the detection of Blind SQL Injection
  • Various improvements in DeepScan
  • Better handling of web servers that don’t send HTTP headers in the response (HTTP 0.9)
  • Improved Readme Files script
  • JSON parser can now handle unnamed inputs

Bug Fixes

  • XSS vulnerabilities are no longer reported if the initial request is redirected to another host
  • Fixed an issue with the Crawler depth limitation
  • Fixed issue with Crawler request counter when used with login sequence
  • “Add to request” function in HTTP Editor was not working in raw HTTP request tab
  • Fixed a bug that was causing false positives in the JavaScript Libraries Audit script
  • Fixed some false positives in Possible Sensitive Directories script.

v9.0.20131216 - 16 Dec 2013

Copy Link Copy Link
Build v9.0.20131216 - 16th December 2013

New Features

Improvements

  • Improved test for WordPress OptimizePress Theme file upload vulnerability.
  • The scanner will now indicate that a scan can take long time to complete, allowing the user to tweak the scan settings if needed.
  • Various improvements to the Login Sequence Recorder
  • Improved the test looking for possible form caching (look for missing “pragma: no-cache” header).
  • It is now possible to use multiple input values for HTML inputs using the format: $(choice1,choice2). These can be configured from Configuration > Scan Settings > Input Fields.
  • Speed improvements gained by streamlining the number of requests performed by some checks.
  • Better handling of some uncommon HTTP status codes.
  • The user-agent of the Login Sequence Recorder can now be configured to use the one configured in WVS (by default, it uses Internet Explorer)
  • Directory Traversal script now provides better handling of Java Web Applications.
  • Improved the calculation of the average response time during a scan

Bug Fixes

  • Sites with a high response time were showing incorrect scan statistics.
  • Fixed rewrite detection on nginx servers with phpfastcgi.
  • Fixed some false positives in SQL Statement in comment.
  • Better handling of very long VIEWSTATE strings.
  • Improved handling of Windows based websites by providing better support for case insensitive filesystems
  • Scan from HTTP Proxy log entry was not working correctly
  • Fixed a crash caused by specific characters in the URL Encoded Post Data
  • Fixed a false positive in Script_Source_Code_Disclosure.script
  • Fixed some false positives in error messages.
  • Web Services: fixed Out of Bounds error when importing invalid WSDLs.

v9.0.20131107 - 11 Nov 2013

Copy Link Copy Link
Build v9.0.20131107 - 11th November 2013

New Features

Improvements

  • Improved XSS testing script.
  • From an alert, clicking on the affected file takes the user to the file in the site structure. This is useful when additional information on the affected file is required (such as the referrers in the case of Broken links, or the source of the web page)
  • DOM XSS alerts will include more information (such as the HTML written for document.write)
  • Improved Code Execution script to find more specific issues and reduce the number of requests performed

Bug Fixes

  • Fixed an issue causing application deadlock.
  • Fixed false positives shown in broken links
  • Fixed some false positives with Script_Source_Code_Disclosure.script
  • Fixed DOM XSS false positives
  • Fixed an issue with Analyze_Parameter_Values script causing the script not to parse relative paths correctly
  • Fixed false positives with Slow HTTP Denial Of Server script
1 18 19 20 27