Acunetix WVS Build History

Build v9.5.20140602 - 3rd June 2014

New Features

  • Added a check for Open Flash Chart 'ofc_upload_image.php' Remote PHP Code Execution Vulnerability which affects various web applications including WordPress plugins, Joomla! components, piwik, and others
  • Added a test for Joomla! v3.2.2 SQL Injection vulnerability
  • Added a script which checks for various known Drupal vulnerabilities (in Drupal modules and Drupal core)
  • Added a test for SFTP/FTP credentials exposure. Various SFTP/FTP clients are storing connection credentials in plain text files (such as sftp-config.json, recentservers.xml, etc.) that are later uploaded on the web server
  • Added a test for "Same Site" Scripting
  • Added a test for Parallels Plesk SSO (Single sign-on) XXE (XML External Entity) and XSS (Cross-Site Scripting) vulnerabilities
  • Added a test for systems running PHP versions < 5.5.12, 5.4.28 (multiple vulnerabilities fixed in these versions including the Heartbleed bug affecting PHP)
  • Added a test looking if the Elasticsearch service is accessible
  • Added a test for Elasticsearch remote code execution
  • Added a test for nginx SPDY heap buffer overflow (CVE-2014-0133)
  • Added a test for Adobe ColdFusion 9 Administrative Login Bypass
  • Added a test for multiple vulnerabilities affecting Ioncube loader-wizard.php file
  • Added a test looking for Apache Roller OGNL Injectio
  • Added a test for Apache Tomcat JK Web Server Connector security bypass.
  • Added a test looking for XSS vulnerabilities in GWT Google Web Toolkit - CVE-2012-4563, CVE-2012-5920, CVE-2013-4204
  • Added detection of PHP framework CodeIgniter
  • Added a test that checks for server-side redirects from http:// to file://
  • Added a test looking for weak encryption keys in CodeIgniter-based web applications
  • Added a test looking for insecure Django strip_tags implementation
  • Added a test for JBoss Seam 2.3.1 Remoting Vulnerabilities
  • Added detection and a check for the latest version of Typo3 web application
  • Added a test looking for Adobe Cold Fusion directory traversal and information disclosure (CVE-2013-3336)
  • Added the following Cross Domain Data Hijacking vulnerability checks:
  • Added a test looking for Database connection strings information disclosure
  • Added a test for CodeIgniter <= 2.1.3 xss_clean() Filter Bypass
  • Added an alert for WordPress username enumeration
  •  Added a test for ExtJS charts.swf XSS (distributed with Typo3)
  • Added a test for Ruby on Rails directory traversal (CVE-2014-0130)
  • Added a test for WordPress plugin All In One SEO Pack security vulnerabilities.

Improvements

  • Improved PHP version detection and OS detection
  • Improve existing ColdFusion checks
  • Improved SQL injection detection and added better error messages for IDM DB2 databases
  • Improved XXE testing, introduced more test-cases as per this document
  • Implemented server-name extension for TLS.

Bug Fixes

  • Fixed issue were links originating from XHR are invalidated
  • Fixed issues when inserting data in the reporting database
  • Fixed issue with Invalid report dates when Microsoft Access is used for the Reporting database
  • Web service editor didn't used updated proxy settings
  • HTTP editor - alert boxes not loading on Windows Server 2003 caused by Internet Explorer security restrictions
  • Corrected CVE classification
  • Fixed issue affecting some cases of crawl results from previous versions whereby the input method was not loaded properly
  • Fixed crawler crash when sitemap file is invalid
  • Apache_CN_Discover_New_Files.script script was double encoding URIs got from Apache
  • Fixed various issues caused when the scan is paused.

Build v9.5.20140505 - 5th May 2014

New Features

Improvements

  • Improved parsing of robots.txt
  • Various improvements to existing reports
  • Improved testing for SQL injection

Bug Fixes

  • Fixed a crash in crawler caused by memory corruption
  • Fixed a leak in the XML parser
  • Fixed a few false positives in the Expression Language Injection script

Build v9.0.20140313 - 13th March 2014

New Features

Improvements

  • Limited the maximum number of variations from HTML forms
  • Login Sequence Recorder will now skip recording automatic redirects
  • Improved automatic in-session detection (Login Sequence Recorder)
  • PHP AcuSensor - Added the ability to handle PHP5 Closures and improved handling of large data
  • Improved ELMAH Information Disclosure script to cover default installation locations
  • Improved ability to identify redirect variants in JavaScript code
  • Improvements to the Backup File Tests
  • Improvements to the Directory Traversal Tests
  • Improvements to the File Inclusion Tests
  • Added support for HSQL Error Messages
  • Improvements to the Possible Sensitive Directories Tests
  • Improvements to the Possible Sensitive Files Tests
  • Improvements to the URL Redirection script

Bug Fixes

  • Fixed a number of memory leaks
  • Fixed an issue causing the scan to hang caused by invalidated sessions
  • Fixed an issue causing the scan from crawler executed all tests twice
  • Fixed a crash in the Session Manager caused by invalid server dates
  • URL finder regex hanged on some basic inputs
  • EOutOfMemory exceptions during the execution of scripts will not cause WVS to crash. The scan will be stopped when such an exception is encountered
  • Fixed issue with false positives not being saved to disk when marked from the Vulnerability Information panel
  • Ignore external scripts feature in DeepScan was sometimes still processing external scripts

Build v9.0.20140206 - 6th February 2014

New Features

Improvements

  • Scanning of WordPress sites has been made more efficient
  • Improved coverage of ASP.NET based websites
  • Improved XSS testing script

Bug Fixes

  • Fixed bug in the pagination of the Scheduler Web Interface
  • The Login Sequence Recorder was ignoring the maximum size HTTP option
  • Fixed an issue causing the crawler to create multiple entries of the same custom cookie.
  • Fixed a bug causing the HTTP sniffer to always listen on localhost
  • Fixed a bug in the console application preventing scanning from older saved crawl results.
  • Fixed a crash caused at start-up caused by the DeepScan agent not starting.

 Build v9.0.20140115 - 15th January 2014

Improvements

  • WVS will warn user if the login sequence failed to make a successful login and disables the login steps.
  • Various improvements in the detection of Blind SQL Injection
  • Various improvements in DeepScan
  • Better handling of web servers that don't send HTTP headers in the response (HTTP 0.9)
  • Improved Readme Files script
  • JSON parser can now handle unnamed inputs

Bug Fixes

  • XSS vulnerabilities are no longer reported if the initial request is redirected to another host
  • Fixed an issue with the Crawler depth limitation
  • Fixed issue with Crawler request counter when used with login sequence
  • "Add to request" function in HTTP Editor was not working in raw HTTP request tab
  • Fixed a bug that was causing false positives in the JavaScript Libraries Audit script
  • Fixed some false positives in Possible Sensitive Directories script.

Build v9.0.20131216 - 16th December 2013

New Features

Improvements

  • Improved test for WordPress OptimizePress Theme file upload vulnerability.
  • The scanner will now indicate that a scan can take long time to complete, allowing the user to tweak the scan settings if needed.
  • Various improvements to the Login Sequence Recorder
  • Improved the test looking for possible form caching (look for missing "pragma: no-cache" header).
  • It is now possible to use multiple input values for HTML inputs using the format: $(choice1,choice2). These can be configured from Configuration > Scan Settings > Input Fields.
  • Speed improvements gained by streamlining the number of requests performed by some checks.
  • Better handling of some uncommon HTTP status codes.
  • The user-agent of the Login Sequence Recorder can now be configured to use the one configured in WVS (by default, it uses Internet Explorer)
  • Directory Traversal script now provides better handling of Java Web Applications.
  • Improved the calculation of the average response time during a scan

Bug Fixes

  • Sites with a high response time were showing incorrect scan statistics.
  • Fixed rewrite detection on nginx servers with phpfastcgi.
  • Fixed some false positives in SQL Statement in comment.
  • Better handling of very long VIEWSTATE strings.
  • Improved handling of Windows based websites by providing better support for case insensitive filesystems
  • Scan from HTTP Proxy log entry was not working correctly
  • Fixed a crash caused by specific characters in the URL Encoded Post Data
  • Fixed a false positive in Script_Source_Code_Disclosure.script
  • Fixed some false positives in error messages.
  • Web Services: fixed Out of Bounds error when importing invalid WSDLs.

Build v9.0.20131023 - 23rd October 2013

New Features

  • Introduced the detection of additional DOM XSS vulnerabilities which can be injected in the HTTP GET parameters.
  • Implemented the option to auto-save scan results after the scan is completed. This can be configured from Configuration->Application Settings->Saved scan results. This node also includes the Database settings, which are used for the reporting database.

Improvements

  • Reduced number of requests made by PerFolder scripts by making some optimizations in the scripts.
  • Improved Readme_Files script to reduce some false positives originating from sites using a custom 404 page

Bug Fixes

  • Affected file was sometimes set incorrectly for DOM XSS vulnerabilities.
  • Fixed an issue causing the scan to check for possible sensitive files/folders when AcuSensor is enabled, and thus such files would already be known.
  • Saving scan results to reporting database and loading of saved scans sometimes caused WVS to crash
  • The Edit Request Variables option in the HTTP editor was not visible
  • Fixed Out of memory crash in AcuSensor for PHP when "mbstring.func_overload" is enabled.
  • Fixed memory leak affecting large websites

Build v9.0.20131107 - 11th November 2013

New Features

Improvements

  • Improved XSS testing script.
  • From an alert, clicking on the affected file takes the user to the file in the site structure. This is useful when additional information on the affected file is required (such as the referrers in the case of Broken links, or the source of the web page)
  • DOM XSS alerts will include more information (such as the HTML written for document.write)
  • Improved Code Execution script to find more specific issues and reduce the number of requests performed

Bug Fixes

  • Fixed an issue causing application deadlock.
  • Fixed false positives shown in broken links
  • Fixed some false positives with Script_Source_Code_Disclosure.script
  • Fixed DOM XSS false positives
  • Fixed an issue with Analyze_Parameter_Values script causing the script not to parse relative paths correctly
  • Fixed false positives with Slow HTTP Denial Of Server script

Build v9.0.20131023 - 23rd October 2013

New Features

  • Introduced the detection of additional DOM XSS vulnerabilities which can be injected in the HTTP GET parameters.
  • Implemented the option to auto-save scan results after the scan is completed. This can be configured from Configuration->Application Settings->Saved scan results. This node also includes the Database settings, which are used for the reporting database.

Improvements

  • Reduced number of requests made by PerFolder scripts by making some optimizations in the scripts.
  • Improved Readme_Files script to reduce some false positives originating from sites using a custom 404 page

Bug Fixes

  • Affected file was sometimes set incorrectly for DOM XSS vulnerabilities.
  • Fixed an issue causing the scan to check for possible sensitive files/folders when AcuSensor is enabled, and thus such files would already be known.
  • Saving scan results to reporting database and loading of saved scans sometimes caused WVS to crash
  • The Edit Request Variables option in the HTTP editor was not visible
  • Fixed Out of memory crash in AcuSensor for PHP when "mbstring.func_overload" is enabled.
  • Fixed memory leak affecting large websites

Build v9.0.20131009 - 10th October 2013

New Features

  • Added a test looking for ReadMe documentation files. The information contained in these files could help an attacker identify the web application being used and sometimes the version of the application.  It's recommended to remove these files from production systems
  • Added a test for HTML injection vulnerabilities
  • Added a test for weak passwords in Joomla! Administrative interface
  • Added a test for weak passwords in the Django Administrative interface
  • Added a test for WordPress PHP Object Injection affecting versions lower than 3.6.1

Improvements

  • Various updates in DeepScan resulting in improved site coverage
  • Update in the way that the HTTP Editor detects the host header from the URL
  • Acunetix now displays a warning if the user closes the application during a scan
  • The Port scanner timeout connection can be configured in milliseconds, allowing for further fine-tuning of the timeout

Bug Fixes

  • Fixed a crash in the user interface when certain components where updated from different threads
  • Base64 tool has been updated to ignore CRLF
  • Fixed issue causing the CSRF checks to never finish in some cases
  • Fixed issue causing the Reporter to invalidate the default report in some cases when the settings were changed
  • Fixed issue causing the default report button was not working in welcome screen
  • Fixed crawler stall when maximum number of pages reached
  • Fixed various memory leaks in crawler
  • Various updates to the Scanning Profiles

Build v9.0.20130904 - 5th September 2013

New Features

Improvements

  • Improved DeepScan to provide better coverage.
  • Improved SQL injection detection for HSQLDB databases.
  • Improved XSS detection.
  • Added ability to select/unselect all items in a folder when using the option "after crawling let me choose the files to scan".

Bug Fixes

  • Fixed custom 404 browser navigation bug
  • Filenames encoded as UTF-8 are now properly displayed.

Build v9.0.20130814 - 15th August 2013

New Features

  • FULL support for HTML5
  • Introduced DeepScan Technology which enhances crawling of JavaScript based web sites, including AJAX and Single Page Applications (SPA). DeepScan is powered by WebKit.
  • Improved support for mobile friendly web sites
    • Improved ability to crawl such sites
    • User is given option to scan mobile friendly version of website
  • Drastically increased the detection of DOM-based XSS
  • Launched Acunetix AcuMonitor used to detect vulnerabilities that can only be detected using an intermediate server. The use of AcuMonitor requires registration.
  • Detection of Blind XSS using AcuMonitor
  • Detection of Server Side Request Forgery (SSRF) using AcuMonitor
  • Detection of Host Header Attacks using AcuMonitor
  • Detection of Email Header Injection using AcuMonitor
  • Detection of XML External Entity (XXE) using AcuMonitor
  • New parameter: /SaveCrawlerData. This new parameter can be used to save the crawler data following a scan from command line.
  • At the end of a scan, the command line output includes scan statistics showing the number of files detected, number of requests, average response and other data which is shown in the main application.
  • Introduced http://testhtml5.vulnweb.com – a new HTML 5 test site which hosts various HTML5 specific vulnerabilities

Improvements

  • Blind SQL Injection script has been revamped and now provides better detection and significantly reduces false positives
  • Crawler has been updated to support 303 and 307 HTTP Redirection Status codes
  • Updated HTML Authentication Auditing script
  • When a vulnerability is identified, Acunetix will stop checking for variations of the vulnerability. This decreases the scan time, and prevents reporting the same vulnerability multiple times on the same input field.
  • HTTP Authentication now allows saving of websites with underscore in the domain names
  • Backup file script has been updated to not display large binary files in HTTP editor.

Bug Fixes

  • Fixed non-responsive user interface caused when saving scan results.
  • Fixed issue where some scans incorrectly reported the alert 'Password type input with auto-complete enabled' multiple times incorrectly.
  • Some scans used to run the perServer scripts twice, thus taking longer and reporting the same vulnerability twice.
  • Scheduler sometimes reported an 'Unknown State' when a scan is cancelled.
  • Various other bug fixes

Build v8.0.20130619 - 19th June 2013

New Features

Improvements

  • Reduced false positives in XSS detection
  • Improvements to Web Server Default Welcome Page script
  • Reduced false positives reported by Blind SQL Injection
  • Improvements in the detection of Sensitive Directories
  • Added patterns for Python error messages and stack traces in the Text Search script.

Bug Fixes

  • Fixed an issue in PHP AcuSensor
  • In some situations, the Login Sequence Recorder misidentified connections to HTTPs sites when working through the Acunetix Web Vulnerability Scanner proxy
  • Fixed crash in the crawler when external JavaScript files where processed from a site with AcuSensor enabled
  • Fixed a false positive in Microsoft IIS Tilde Directory Enumeration
  • Fixed issues where scheduled scans with recursion are not rescheduled if they cannot start because of scan restrictions
  • Fixed a bug with Amazon S3 Public Buckets audit KB items being reported multiple times

Build v8.0.20130416 - 18th April 2013

New Features

  • Added a test that enumerates valid WordPress usernames using various techniques.
  • Added a test for weak WordPress passwords for the usernames identified during the scan.
  • Added a test that identifies common WordPress plugins. For each plugin identified, Acunetix WVS will try to enumerate the plugin name, short description, installed version and latest version of the plugin. This information is shown in a Knowledge Base item.
  • Added a test that identifies Amazon S3 public buckets.
  • Added a test for the security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX (Adobe Vulnerability ID: APSB13-10; CVE-2013-1387, CVE-2013-1388)
  • Added a test looking for Apache Tomcat SessionExample servlet that can allow session manipulation.
  • Added a test for Drupal Views Module Information Disclosure Vulnerability.
  • Added a test for Gallery v3.0.4 Remote Code Execution.
  • Added a test for Jenkins Dashboard (http://jenkins-ci.org/).
  • Added a test for Roundcube Webmail Security updates 0.8.6 and 0.7.3.
  • Added a test for WordPress 3.4.2 Cross Site Request Forgery.
  • Added a test looking for a Cross-Site Scripting vulnerability in older versions of jQuery which affected Drupal amongst others.
  • Added a test looking for SQL Injection in Symphony v2.3.1 (CVE-2013-2599)

Improvements

  • Client Script Analyser: Optimized script source retrieval (modernizr-2.5.3.js)
  • Improved XSS in URI script to test for Apache Tomcat Path Parameters.
  • Improved WordPress Pingback Scanner test.
  • Improved Blind SQL Injection script.
  • Improved Crossdomain_XML script.
  • Improved Directory Traversal script.
  • Improved Error_Message script.
  • Improved URL redirection script.
  • Improved XSS testing script.
  • The amount of input schemes has been reduced for known applications, improving the scan performance for such web applications.

Bug Fixes

  • Fixed an issue which caused false positives to occasionally show up in the report for Scheduled Scans.
  • Better handling for META http-equiv="refresh" tags by the Crawler.
  • Fixed an issue in error_messages_helpers.inc script.
  • Fixed a minor bug in the Scheduler UI (Bug ID: 364)
  • North and South Korea are now correctly identified in the Product Activation Wizard.
  • Scans were sporadically entering a loop when scanning certain sites using a login sequence and the CSRF check was enabled.
  • WebApps scripts were being invoked even though they were excluded in the scanning profile

Build v8.0.20130308 - 8th March 2013

New Functionality

  • Added a test for Kayako Fusion v4.51.1891 - Multiple Web Vulnerabilities
  • Added various tests for Apache Tomcat
  • Added a test for CKEditor 4.0.1 Cross-Site Scripting vulnerability
  • Added a test for Moveable Type 4.x Unauthenticated Remote Command Execution
  • Implemented detection of Virtual Hosts on the target server
  • Implemented jQuery 1.9 support
  • Added a test for subversion 1.7 (.svn) repositories
  • Added a test for Parallels Plesk SQL Injection Vulnerability (CVE-2012-1557).
  • Implemented some tests looking for various Unicode transformation issues such as Best-Fit Mappings, Overlong byte sequences and Ill-Formed Sub-sequences
  • Added header input schemes for folders
  • Added identification of file names in input scheme parameter values. Any file names detected are subsequently crawled

Improvements

  • Various improvements to XSS tests
  • Improved Possible_Sensitive_Directories script
  • Improved jQuery attr() support
  • Improved Virtual Host Directory Listing test
  • The report of 404 – Page Not Found now instructs users to checks the Referrers tab for a list of pages linking to the broken link

Bug Fixes

  • Fixed a crash that occurs infrequently when configuring a scheduled scan
  • Fixed various minor issues in the scan scheduler

Build v8.0.20130205 - 5th February 2013

New Features          

  • New 14 day Evaluation version will replace the Free Edition. Evaluating users can now perform full scans of the Acunetix test websites and of their websites. The Evaluation version has the following limitations:
    • The vulnerability details are only shown when scanning Acunetix test websites
    • Results cannot be saved
    • Reports are disabled
    • Scheduled scans are disabled

Improvements

  • Changed prioritisation of TLS protocol over SSLv3. This provides better support for IIS 7.5 web servers, which previously refused connections from Acunetix Web Vulnerability Scanner.

Bug Fixes

  • Fixed crash that occurs when the Scan Wizard is used while the Login Sequence Recorder is running
  • Fixed crash in Session Manager

Build v8.0.20121213 - 13th December 2012

New Features

  • New report template for ISO 27001

New Security Checks

  • During a scan Acunetix WVS checks if the MongoDB web interface is open on the external interface
  • Check for included scripts which are from an invalid hostname
  • Added a new module for testing Slow HTTP Denial of Service attacks like Slowloris
  • Added a new security check that tries to guess various internal virtual hosts (information disclosure)
  • Checks for phpLiteAdmin default passwords

Improvements

  • Improved the SQL Injection detection for SQLite3
  • Further improved the Cross-Site Scripting security check
  • Added detailed descriptions to all the Acunetix WVS security scripts
  • Removed all broken web references in vulnerability reports and added several new ones
  • Improved the Joomla! security scripts for more enhanced security scanning of Joomla! portals

Bug Fixes

  • Fixed a text wrapping issue in the compliance reports
  • Fixed an issue where the CSA engine was being executed multiple times against the same file during a scan
  • User-Agent header is now included with the in-session check request
  • Login Sequence Recorder now uses the timeout value specified from settings
  • Fixed several crashes when the Login Sequence Recorder was used against some specific websites

Build v8.0.20121113 - 13th November 2012

New Security Checks

  • New PHP code execution test for Invision Power Board

Improvements

  • We've improved the Acunetix SDK by introducing a new UI for selecting script targets
  • All web security scripts now send the Referrer header during tests, which means that websites that check referrers can now be scanned properly.
  • The XSS security script has been further improved.

Bug Fixes

  • We've added a cache-control HTTP header to crawler requests.
  • Several issues in the crawler have been fixed so you can now crawl larger websites

Build v8.0.20121106 - 6th November 2012

New Features:

  • Schedule up to 2,000 website security scans using a CSV file.
  • Ability to exclude WSDL inputs from a scan from the WSDL scan wizard.

New Security Checks:

  • Added a new security check for IIS global.asa / global.asax backup files.
  • Added a new remote code execution security check for vbseo 3.6.0.
  • New arbitrary PHP code execution security check for Drupal.
  • New information disclosure security check for Drupal.
  • Added several web security checks for Ekton CMS.
  • New XSS security check that can find vulnerabilities in Referrer headers.

Improvements:

  • Scheduler UI now supports pagination for faster load time.
  • Improved XSS vulnerabilities detection in URIs.
  • Improved Input Fields entries for better crawling of websites.

Bug Fixes:

  • Client certificates are now being used from the Login Sequence Recorder.
  • Fixed a crash in the compare scans template.
  • Fixed an AcuSensor injection problem with .NET Framework 4.0 applications.
  • Fixed several Sensitive Directory vulnerabilities false positives.
  • Fixed a Login Sequence Recorder crash.

Build v8.0.20121003 - 3rd October 2012

New Features

  • Added a new option to allow offline activation of Acunetix WVS
  • Added heauristic input limitations in crawler for more efficient scanning

New Security Checks

  • SQL Injection tests for OpenX web application
  • Cross-site scripting checks for IBM Lotus Domino Web Server
  • Search for MySQL connection details when scanning a website
  • Detection of phpMyAdmin v3.5.2.2 backdoor

Improvements:

  • Further enhanced the XSS security check
  • Improved Remote file inclusion security check
  • Local file inclusion tests have been improved to better handle Java based applications
  • When importing scan results to reporting database using the console, the database scan ID will be reported

Bug fixes

  • Fixed a crash when trying to stop the crawler and the CSA engine was still working
  • User specified client certificates are now being used by the Login Sequence Recorder
  • The exit button from LSR was not fully visible in some situations
  • Login Sequence Recorder now uses the configured scan settings templates
  • Manual browser now uses the correct user specified User-Agent string