Drupal Local File Inclusion Vulnerability

I was testing our scanner (with AcuSensor enabled) on Drupal (http://www.drupal.org) and the scanner found a possible File Inclusion vulnerability. As you can see from the screenshot above, the GET variable q was set to start/../../xxx….end and it got partially sanitized. It reached the include function as /themes/garland/page-start-..-..-xxx….end.tpl.php. All the slashes were replaced with “-“. […]

Read More →

Acunetix Web Vulnerability Scanner Voted Windowsecurity.Com Readers’ Choice Award Winner for the second time

Acunetix WVS Singled Out by Network Security Administrators and Specialists London, UK – 26 February 2009 –  Leading Windows Security resource site, WindowSecurity.com, announced today that Acunetix Web Vulnerability Scanner was selected the winner in the Web Application Security category of the WindowSecurity.com Readers’ Choice Awards. “Our Readers’ Choice Awards give visitors to our site the […]

Read More →

AcuSensor and the pink blog

While testing our AcuSensor technology, I downloaded a small PHP blog application from the internet. The installation went smoothly. This particular application was not using a database but it was storing everything in text files. I added a sample blog post and I was ready to start the scan. The application looked like this before […]

Read More →

SQL injection sneaks into Kaspersky’s support website

The recent compromise of Kaspersky’s support database left the company with a bit of explaining to do. The hacker published a blog post on hackersblog detailing stunts with Kaspersky’s USA support website. Kaspersky also published their own account based on their log files and the hacker’s (nicknamed unu) blog post. The following is a summary of what happened and how such attacks can be prevented.

Read More →

Embedded devices can be hacked through the web interface

Anyone who has tested even a small number of web configuration interfaces on embedded devices, such as managed routers, VoIP gateways and wireless routers, knows that these devices are notorious for web application vulnerabilities. It is not uncommon for these devices to be vulnerable to Cross Site Scripting and similar attacks. Recently Cisco published a […]

Read More →