Acunetix WVS Version 6.5 build 20091124 released

An updated build for Acunetix WVS Version 6.5 has been released with a number of improvements, bug fixes, and most important of all, a good number of new security checks.

New:

  • New security checks of AcuSensor Technology
    • curl_exec() url is controlled by user
    • PHP preg_replace used on user input
    • PHP super-globals-overwrite
    • PHP unserialize used on user input
  • Other new security checks of Acunetix WVS
    • osCommerce authentication bypass
    • Apache Tomcat insecure default administrative password
    • Apache Tomcat directory traversal
    • Checks for PHP invalid data type error messages
    • Check for possible remote SWF inclusion
    • Added further checks for possible sensitive files; general tests per server
    • Added further checks for possible sensitive directories; general tests per server
    • Added a new security check for SQL injection in the authentication header (basic authentication, base64 encoded)
    • Added AlertIfTextNotFound group parameter to invert search and issue an alert if a specified text is not found

Improvements:

  • Renamed Weak password module to Authentication module; now it also includes a good number of new authentication security checks
  • Improved Cross-site scripting in URI checks to include a number of Ruby on rails security checks
  • Improved Application errors security checks
  • Introduced 3 new setting parameters for the crawler in Settings.XML file:
    • <MaxFirstPossibleValue>262144</MaxFirstPossibleValue>
    • <MaxOtherPossibleValues>256</MaxOtherPossibleValues>
    • <MaxNumberOfPossibleValues>1000</MaxNumberOfPossibleValues>

Bug Fixes:

  • Fixed: false positives issued in weak password alert
  • Fixed: WSDL importer crash when importing recursive complex elements
  • Fixed: Crawler proxy request handling changed to decode the input name/value
  • Fixed Vulnerability Editor to show group parameters with default values if no VulnXML template is used
  • Changed HTTP_Anomalies to log PHP errors and save the results in a file instead of alerts
  • Hidden VulnXML properties for alerts that are not using VulnXML default template in Vulnerability Editor
  • Adjusted VulnXML to reduce the number of false positives for Blind SQL injection timing tests
  • Updated CSA engine; delete the BOM characters from script sources
  • Updated URL_Helper; UrlEncode/Decode modified not to use str := str + ch and to validate hex characters after %
  • Updated File_Inputs; possible values are limited in size now

How to upgrade:

On starting up Acunetix WVS, a pop up window will automatically notify you that a more recent build is available for download.  To download the latest build, navigate to General > Program Updates node in the Tools explorer, and click on Download and Install new build.

Click here for the complete Acunetix WVS change log.

Contact us on support@acunetix.com for any technical queries, and on sales@acunetix.com for any sales queries.

Share this post

Leave a Reply

Your email address will not be published.