Each Acunetix WVS update generally includes new vulnerability tests or an improvement to existing checks. This post summarizes the new security tests added in the latest Acunetix WVS update.
Cross Domain Data Hijacking
A website is vulnerable if an attacker can create/upload a malicious Flash (SWF) file or control the top part of any page. Acunetix WVS includes three different tests for detecting Cross domain data hijacking vulnerabilities. Acunetix WVS can identify the following cases:
- An attacker can upload a SWF file
- An attacker can abuse a JSONP callback
- An attacker can control the top part of any page
Drupal is an open source content management platform powering millions of websites and applications.
In this update we've included support for this popular web application. Acunetix WVS can automatically detect if Drupal is installed and check for known vulnerabilities in Drupal core and Drupal plugins.
Elasticsearch remote code execution
Elasticsearch is a search server based on Lucene. After installation, Elasticsearch is accessible via HTTP. Elasticsearch has no access roles or authentication mechanism and therefore, should not be accessible in production. Acunetix WVS will try to detect if the Elasticsearch API is accessible. It also looks for a remote code execution vulnerability affecting versions prior to 1.2.
Ioncube loader-wizard.php vulnerabilities
Ioncube Encoder is a tool used to protect software written using the PHP programming language from being viewed, changed, and run on unlicensed computers. To install the Encoder, ionCube Loader needs to be installed on the web server and made available to PHP. A script named loader-wizard.php is distributed to help in the installation of the Loader. This script contains various information disclosure vulnerabilities such as phpinfo exposure, php.ini exposure, reflected XSS, arbitrary file download.
Typically this script remains on the server after the Loader is installed. Acunetix WVS detects this script and will issue an alert if found. This script should be removed from the server as soon as the installation is completed.
CodeIgniter is an open source rapid development web application framework, used in building dynamic web sites with PHP.
This update also includes support for the CodeIgniter framework. The scanner will identify if CodeIgniter is installed and check for known vulnerabilities in this framework. One of the vulnerabilities checked for is weak encryption keys in CodeIgniter based web applications. Acunetix WVS will inspect the CodeIgniter session cookie and detect if a weak key is used to sign this cookie. If yes, an attacker can abuse an unserialize call and execute remote PHP code via object injection.
Django strip_tags safety
Django is a free and open source web application framework, written in Python, which follows the model–view–controller architectural pattern.
The strip_tags function from Django did not correctly strip some obfuscated tags. This particular issue has been resolved in future releases of Django 1.6 and 1.7.
Mehmet Ince wrote a detailed blog post explaining how this problem can be exploited.
from django.utils.html import strip_tags as _c print _c("<img<!-- --> src=x onerror=alert(1);//><!-- -->") #Result <img src=x onerror=alert(1);//>
The latest update will test and report these issues when Django is detected.
TYPO3 is a free and open source web content management framework based on PHP. The scanner can now identify and scan sites based on Typo3 and issue an alert if an older version of the framework is being used.
Improvements to XML External Entity (XXE) attacks
Virtual Security Research published a very interesting paper, "A Compendium of Known Techniques", about XML attacks, focusing on XXE attacks. Acunetix WVS was improved to test for some of the less known XXE attacks.
One, often overlooked, fact about URL capabilities is that many XML parsers can be coerced into invoking URL handlers even when external entities are disabled. For example, some parsers will evaluate the following trivial XML document and retrieve the URL referenced in the document definition:
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE roottag PUBLIC "-//VSR//PENTEST//EN" "http://internal/service?ssrf">
<roottag>not an entity attack!</roottag>
Using AcuMonitor, Acunetix WVS detects additional XXE variants, including ones that are not echoed back into the response.