Changelogs

Acunetix Standard & Premium

RSS Feed

v8.0.20121213 - 13 Dec 2012

Copy Link Copy Link
Build v8.0.20121213 - 13th December 2012

New Features

  • New report template for ISO 27001

New Security Checks

  • During a scan Acunetix WVS checks if the MongoDB web interface is open on the external interface
  • Check for included scripts which are from an invalid hostname
  • Added a new module for testing Slow HTTP Denial of Service attacks like Slowloris
  • Added a new security check that tries to guess various internal virtual hosts (information disclosure)
  • Checks for phpLiteAdmin default passwords

Improvements

  • Improved the SQL Injection detection for SQLite3
  • Further improved the Cross-Site Scripting security check
  • Added detailed descriptions to all the Acunetix WVS security scripts
  • Removed all broken web references in vulnerability reports and added several new ones
  • Improved the Joomla! security scripts for more enhanced security scanning of Joomla! portals

Bug Fixes

  • Fixed a text wrapping issue in the compliance reports
  • Fixed an issue where the CSA engine was being executed multiple times against the same file during a scan
  • User-Agent header is now included with the in-session check request
  • Login Sequence Recorder now uses the timeout value specified from settings
  • Fixed several crashes when the Login Sequence Recorder was used against some specific websites

v8.0.20121113 - 13 Nov 2012

Copy Link Copy Link
Build v8.0.20121113 - 13th November 2012

New Security Checks

  • New PHP code execution test for Invision Power Board

Improvements

  • We’ve improved the Acunetix SDK by introducing a new UI for selecting script targets
  • All web security scripts now send the Referrer header during tests, which means that websites that check referrers can now be scanned properly.
  • The XSS security script has been further improved.

Bug Fixes

  • We’ve added a cache-control HTTP header to crawler requests.
  • Several issues in the crawler have been fixed so you can now crawl larger websites

v8.0.20121106 - 06 Nov 2012

Copy Link Copy Link
Build v8.0.20121106 - 6th November 2012

New Features

  • Schedule up to 2,000 website security scans using a CSV file.
  • Ability to exclude WSDL inputs from a scan from the WSDL scan wizard.

New Security Checks

  • Added a new security check for IIS global.asa / global.asax backup files.
  • Added a new remote code execution security check for vbseo 3.6.0.
  • New arbitrary PHP code execution security check for Drupal.
  • New information disclosure security check for Drupal.
  • Added several web security checks for Ekton CMS.
  • New XSS security check that can find vulnerabilities in Referrer headers.

Improvements

  • Scheduler UI now supports pagination for faster load time.
  • Improved XSS vulnerabilities detection in URIs.
  • Improved Input Fields entries for better crawling of websites.

Bug Fixes

  • Client certificates are now being used from the Login Sequence Recorder.
  • Fixed a crash in the compare scans template.
  • Fixed an AcuSensor injection problem with .NET Framework 4.0 applications.
  • Fixed several Sensitive Directory vulnerabilities false positives.
  • Fixed a Login Sequence Recorder crash.

v8.0.20121003 - 03 Oct 2012

Copy Link Copy Link
Build v8.0.20121003 - 3rd October 2012

New Features

  • Added a new option to allow offline activation of Acunetix WVS
  • Added heauristic input limitations in crawler for more efficient scanning

New Security Checks

  • SQL Injection tests for OpenX web application
  • Cross-site scripting checks for IBM Lotus Domino Web Server
  • Search for MySQL connection details when scanning a website
  • Detection of phpMyAdmin v3.5.2.2 backdoor

Improvements:

  • Further enhanced the XSS security check
  • Improved Remote file inclusion security check
  • Local file inclusion tests have been improved to better handle Java based applications
  • When importing scan results to reporting database using the console, the database scan ID will be reported

Bug Fixes

  • Fixed a crash when trying to stop the crawler and the CSA engine was still working
  • User specified client certificates are now being used by the Login Sequence Recorder
  • The exit button from LSR was not fully visible in some situations
  • Login Sequence Recorder now uses the configured scan settings templates
  • Manual browser now uses the correct user specified User-Agent string

v8.0.20120911 - 11 Sep 2012

Copy Link Copy Link
Build v8.0.20120911 - 11th September 2012

New Features

  • A new option that allows you to specify a different email address for each configured scan in the scheduler.
  • HTTP Fuzzer number generator now supports padding, e.g. you can use a leading zero i.e. from 01 to 10.
  • A new option to specify if the latest cookie from the scanned website should be used rather than the one discovered during crawling.
  • New option to force scanner to not overwrite user specified custom cookies with newer cookies from the scanned website.
  • Ability to import multiple HTTP Sniffer captures to the same crawl.
  • Ability to merge HTTP Sniffer captures to existing website crawls.

New Security Checks

  • Added a test for .Net Cross Site Scripting (Request Validation Bypassing).
  • New security check for MediaWiki security issues.

Bug Fixes

  • Fixed a Crossdomain in an XML false positive.
  • Fixed the Scan Wizard back button issue; there were instances were it was not working correctly.
  • Fixed a bug in the scanner to scan only website files found during a crawl.
  • Fixed a memory leak in the Client Script Analyser engine.
  • The Login Sequence Recorder User-Agent string is now the same in both the header and in the scripting code.
  • Fixed a bug within the WSDL scanner “Customize” button.

v8.0.20120808 - 09 Aug 2012

Copy Link Copy Link
Build v8.0.20120808 - 9th August 2012

New Feature

  • Acunetix WVS will alert the user if a web application firewall or IDS are detected

New Security Checks

  • Added a security check for FCKeditor cross site scripting vulnerability
  • Added a test for Liferay json Auth Bypass
  • Acunetix WVS now checks for Server Side Request Forgery
  • Added several security checks for IBM Tivoli Access Manager Web Server vulnerabilities
  • New security check for vulnerabilities in SharePoint Could Allow Elevation of Privilege (MS12-050)
  • Acunetix WVS now cheks for several DotNetNuke vulnerabilities (popular ASP.NET CMS)
  • Added a new security check for exposed Apache Solr Service
  • Remote code execution tests for Umbraco asp.net CMS software
  • Check for SWFUpload applet vulnerability in a large number of web applications
  • Added security checks for user controllable scripts and charsets

Improvements

  • Cross-site scripting (XSS) security checks were improved
  • HTTP Verb Tapering security script now bruteforces common or sensitive files and directories

Bug Fixes

  • Fixed: Incorrect handling of Internet Explorer’s Javascript substr implementation
  • Fixed: Login Sequence Recorder; ssl_write result was not handled correctly resulting in data not rendering correctly
  • Fixed: Display problem; alert/child count was not displayed correctly in some cases
  • Fixed: Developer report was not showing long urls in coverage report
  • Fixed: Saved credentials were not persistent in general settings

v8.0.20120704 - 04 Jul 2012

Copy Link Copy Link
Build v8.0.20120704 - 4th July 2012

New Security Checks

  • Added a number of new HTML 5 Cross-site scripting security checks
  • Content-type text /xml responses are now being checked for XSS vulnerabilities
  • Using Windows 8.3 short filenames techniques to check for information disclosure
  • Checks for Microsoft IIS Tilde directory enumaration problems
  • A number of new security checks for Webadmin
  • Checking for MySQL, RubyonRails and phpMyAdmin SQL dump files on web applications
  • File disclosure via XXE Injection tests for Zend Framework
  • Information disclosure checks in environment variables

Improvements

  • Improved Directory Traversal security checks
  • Less false positives reported by the HTML Forms security checks

Bug Fixes

  • Custom cookies paths are now set correctly to the start URL
  • Login Sequence Recorder now executes Javascripts even if there are js errors
  • New discovered input parameters variations are added to the list of input variations rather than ignored

v8.0.20120613 - 13 Jun 2012

Copy Link Copy Link
Build v8.0.20120613 - 13th June 2012

New Security Checks

  • New security checks for Microsoft SharePoint.
  • Debug Parameters test offers you the ability to check your web applications if common debug parameters, such as “?debug=1” disclose sensitive information.
  • New Cross-Site Scripting checks for Ruby on Rails / Homakov variants.
  • Security check for JetBrains .idea project directory.
  • ToolsPack backdoor verification.
  • Security check for Fantastico_Filelist information disclosure.
  • Tests for authentication bypass vulnerabilities in MySQL, MariaDB (CVE-2012-2122).
  • Check for Nginx restrictions bypass (CVE-2011-4963).
  • New checks when phpinfo() page is discovered: all html in such page is parsed and various alerts are issued reporting PHP configuration problems (display_errors on, register_globals etc).

New Features

  • Ability to export report in the Report Viewer.
  • Alerts you when HTML forms do not have CSRF protection.

Improvements

  • Rewrote the ASP_NET_Oracle_Padding security script.
  • Improved SVN/GIT repository security scripts.
  • Improved presentation for all the alerts generated by crawler by showing more attack details.

Bug Fixes

  • Login sequence recorder is now using the configured user-agent.
  • Cookies path parameters are better supported.
  • The scheduler authentication checkbox is restored properly if you press “Cancel”.
  • Fixed theTrace/Track HTTP method test security script issue.
  • The input forms which are part of the login sequence are no longer filled with HTML forms pre-configured data.
  • Fixed the namespaces issue on the Web Services scanner.
  • Corrected the requests which are generated by the scan results imported from the Firefox extension.
  • Blind SQL injection now reports the correct value in the alert details.
  • Fixed the Jquery problem: CSA select html element and options are now correctly handled.

v8.0.20120508 - 08 May 2012

Copy Link Copy Link
Build v8.0.20120508 – 8th May 2012

New Security Check

  • Acunetix WVS checks if your PHP-CGI installation is vulnerable to remote code execution. For further information regarding this type of vulnerability, read the PHP-CGI advisory article here.

New Features

  • Ability to edit scheduled scans. No need for scheduling new scans every time you wish to change a scan setting.
  • Amend multiple scheduled scans simultaneously by selecting them and applying the required global changes.
  • Save all your scanned results and access them at any time from your scheduler’s scan history. You can also delete your scanned results from the web-based scheduler.
  • A new setting has been introduced to configure the maximum number of pages during a crawl.

Improvements

  • Improved Cross-Site Scripting (XSS) tests.
  • The web-based scheduler has been improved to run better in the latest version of Internet Explorer.
  • Enhanced SQL injection tests to reduce the false positives reporting even more.

Bug Fixes

  • The scheduled scans can be correctly imported after upgrading to a more recent build of Acunetix WVS 8.
  • The false positives settings node can now support changes from multiple instances at the same time.
  • Web Service Definition Language (WSDL) Scanner URL edit box is now able to save history.
1 20 21 22 27