Acunetix WVS Build History

Build v8.0.20130619 – 19th June 2013

New Features

Improvements

  • Reduced false positives in XSS detection
  • Improvements to Web Server Default Welcome Page script
  • Reduced false positives reported by Blind SQL Injection
  • Improvements in the detection of Sensitive Directories
  • Added patterns for Python error messages and stack traces in the Text Search script.

Bug Fixes

  • Fixed an issue in PHP AcuSensor
  • In some situations, the Login Sequence Recorder misidentified connections to HTTPs sites when working through the Acunetix Web Vulnerability Scanner proxy
  • Fixed crash in the crawler when external JavaScript files where processed from a site with AcuSensor enabled
  • Fixed a false positive in Microsoft IIS Tilde Directory Enumeration
  • Fixed issues where scheduled scans with recursion are not rescheduled if they cannot start because of scan restrictions
  • Fixed a bug with Amazon S3 Public Buckets audit KB items being reported multiple times

Build v8.0.20130416 – 18th April 2013

New Features

  • Added a test that enumerates valid WordPress usernames using various techniques.
  • Added a test for weak WordPress passwords for the usernames identified during the scan.
  • Added a test that identifies common WordPress plugins. For each plugin identified, Acunetix WVS will try to enumerate the plugin name, short description, installed version and latest version of the plugin. This information is shown in a Knowledge Base item.
  • Added a test that identifies Amazon S3 public buckets.
  • Added a test for the security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX (Adobe Vulnerability ID: APSB13-10; CVE-2013-1387, CVE-2013-1388)
  • Added a test looking for Apache Tomcat SessionExample servlet that can allow session manipulation.
  • Added a test for Drupal Views Module Information Disclosure Vulnerability.
  • Added a test for Gallery v3.0.4 Remote Code Execution.
  • Added a test for Jenkins Dashboard (http://jenkins-ci.org/).
  • Added a test for Roundcube Webmail Security updates 0.8.6 and 0.7.3.
  • Added a test for WordPress 3.4.2 Cross Site Request Forgery.
  • Added a test looking for a Cross-Site Scripting vulnerability in older versions of jQuery which affected Drupal amongst others.
  • Added a test looking for SQL Injection in Symphony v2.3.1 (CVE-2013-2599)

Improvements

  • Client Script Analyser: Optimized script source retrieval (modernizr-2.5.3.js)
  • Improved XSS in URI script to test for Apache Tomcat Path Parameters.
  • Improved WordPress Pingback Scanner test.
  • Improved Blind SQL Injection script.
  • Improved Crossdomain_XML script.
  • Improved Directory Traversal script.
  • Improved Error_Message script.
  • Improved URL redirection script.
  • Improved XSS testing script.
  • The amount of input schemes has been reduced for known applications, improving the scan performance for such web applications.

Bug Fixes

  • Fixed an issue which caused false positives to occasionally show up in the report for Scheduled Scans.
  • Better handling for META http-equiv=”refresh” tags by the Crawler.
  • Fixed an issue in error_messages_helpers.inc script.
  • Fixed a minor bug in the Scheduler UI (Bug ID: 364)
  • North and South Korea are now correctly identified in the Product Activation Wizard.
  • Scans were sporadically entering a loop when scanning certain sites using a login sequence and the CSRF check was enabled.
  • WebApps scripts were being invoked even though they were excluded in the scanning profile

Build v8.0.20130308 – 8th March 2013

New Functionality

  • Added a test for Kayako Fusion v4.51.1891 – Multiple Web Vulnerabilities
  • Added various tests for Apache Tomcat
  • Added a test for CKEditor 4.0.1 Cross-Site Scripting vulnerability
  • Added a test for Moveable Type 4.x Unauthenticated Remote Command Execution
  • Implemented detection of Virtual Hosts on the target server
  • Implemented jQuery 1.9 support
  • Added a test for subversion 1.7 (.svn) repositories
  • Added a test for Parallels Plesk SQL Injection Vulnerability (CVE-2012-1557).
  • Implemented some tests looking for various Unicode transformation issues such as Best-Fit Mappings, Overlong byte sequences and Ill-Formed Sub-sequences
  • Added header input schemes for folders
  • Added identification of file names in input scheme parameter values. Any file names detected are subsequently crawled

Improvements

  • Various improvements to XSS tests
  • Improved Possible_Sensitive_Directories script
  • Improved jQuery attr() support
  • Improved Virtual Host Directory Listing test
  • The report of 404 – Page Not Found now instructs users to checks the Referrers tab for a list of pages linking to the broken link

Bug Fixes

  • Fixed a crash that occurs infrequently when configuring a scheduled scan
  • Fixed various minor issues in the scan scheduler

Build v8.0.20130205 – 5th February 2013

New Features

  • New 14 day Evaluation version will replace the Free Edition. Evaluating users can now perform full scans of the Acunetix test websites and of their websites. The Evaluation version has the following limitations:
    • The vulnerability details are only shown when scanning Acunetix test websites
    • Results cannot be saved
    • Reports are disabled
    • Scheduled scans are disabled

Improvements

  • Changed prioritisation of TLS protocol over SSLv3. This provides better support for IIS 7.5 web servers, which previously refused connections from Acunetix Web Vulnerability Scanner.

Bug Fixes

  • Fixed crash that occurs when the Scan Wizard is used while the Login Sequence Recorder is running
  • Fixed crash in Session Manager

Build v8.0.20121213 – 13th December 2012

New Features

  • New report template for ISO 27001

New Security Checks

  • During a scan Acunetix WVS checks if the MongoDB web interface is open on the external interface
  • Check for included scripts which are from an invalid hostname
  • Added a new module for testing Slow HTTP Denial of Service attacks like Slowloris
  • Added a new security check that tries to guess various internal virtual hosts (information disclosure)
  • Checks for phpLiteAdmin default passwords

Improvements

  • Improved the SQL Injection detection for SQLite3
  • Further improved the Cross-Site Scripting security check
  • Added detailed descriptions to all the Acunetix WVS security scripts
  • Removed all broken web references in vulnerability reports and added several new ones
  • Improved the Joomla! security scripts for more enhanced security scanning of Joomla! portals

Bug Fixes

  • Fixed a text wrapping issue in the compliance reports
  • Fixed an issue where the CSA engine was being executed multiple times against the same file during a scan
  • User-Agent header is now included with the in-session check request
  • Login Sequence Recorder now uses the timeout value specified from settings
  • Fixed several crashes when the Login Sequence Recorder was used against some specific websites

Build v8.0.20121113 – 13th November 2012

New Security Checks

  • New PHP code execution test for Invision Power Board

Improvements

  • We’ve improved the Acunetix SDK by introducing a new UI for selecting script targets
  • All web security scripts now send the Referrer header during tests, which means that websites that check referrers can now be scanned properly.
  • The XSS security script has been further improved.

Bug Fixes

  • We’ve added a cache-control HTTP header to crawler requests.
  • Several issues in the crawler have been fixed so you can now crawl larger websites

Build v8.0.20121106 – 6th November 2012

New Features

  • Schedule up to 2,000 website security scans using a CSV file.
  • Ability to exclude WSDL inputs from a scan from the WSDL scan wizard.

New Security Checks

  • Added a new security check for IIS global.asa / global.asax backup files.
  • Added a new remote code execution security check for vbseo 3.6.0.
  • New arbitrary PHP code execution security check for Drupal.
  • New information disclosure security check for Drupal.
  • Added several web security checks for Ekton CMS.
  • New XSS security check that can find vulnerabilities in Referrer headers.

Improvements

  • Scheduler UI now supports pagination for faster load time.
  • Improved XSS vulnerabilities detection in URIs.
  • Improved Input Fields entries for better crawling of websites.

Bug Fixes

  • Client certificates are now being used from the Login Sequence Recorder.
  • Fixed a crash in the compare scans template.
  • Fixed an AcuSensor injection problem with .NET Framework 4.0 applications.
  • Fixed several Sensitive Directory vulnerabilities false positives.
  • Fixed a Login Sequence Recorder crash.

Build v8.0.20121003 – 3rd October 2012

New Features

  • Added a new option to allow offline activation of Acunetix WVS
  • Added heauristic input limitations in crawler for more efficient scanning

New Security Checks

  • SQL Injection tests for OpenX web application
  • Cross-site scripting checks for IBM Lotus Domino Web Server
  • Search for MySQL connection details when scanning a website
  • Detection of phpMyAdmin v3.5.2.2 backdoor

Improvements:

  • Further enhanced the XSS security check
  • Improved Remote file inclusion security check
  • Local file inclusion tests have been improved to better handle Java based applications
  • When importing scan results to reporting database using the console, the database scan ID will be reported

Bug Fixes

  • Fixed a crash when trying to stop the crawler and the CSA engine was still working
  • User specified client certificates are now being used by the Login Sequence Recorder
  • The exit button from LSR was not fully visible in some situations
  • Login Sequence Recorder now uses the configured scan settings templates
  • Manual browser now uses the correct user specified User-Agent string

Build v8.0.20120911 – 11th September 2012

New Features

  • A new option that allows you to specify a different email address for each configured scan in the scheduler.
  • HTTP Fuzzer number generator now supports padding, e.g. you can use a leading zero i.e. from 01 to 10.
  • A new option to specify if the latest cookie from the scanned website should be used rather than the one discovered during crawling.
  • New option to force scanner to not overwrite user specified custom cookies with newer cookies from the scanned website.
  • Ability to import multiple HTTP Sniffer captures to the same crawl.
  • Ability to merge HTTP Sniffer captures to existing website crawls.

New Security Checks

  • Added a test for .Net Cross Site Scripting (Request Validation Bypassing).
  • New security check for MediaWiki security issues.

Bug Fixes

  • Fixed a Crossdomain in an XML false positive.
  • Fixed the Scan Wizard back button issue; there were instances were it was not working correctly.
  • Fixed a bug in the scanner to scan only website files found during a crawl.
  • Fixed a memory leak in the Client Script Analyser engine.
  • The Login Sequence Recorder User-Agent string is now the same in both the header and in the scripting code.
  • Fixed a bug within the WSDL scanner “Customize” button.

Build v8.0.20120808 – 9th August 2012

New Feature

  • Acunetix WVS will alert the user if a web application firewall or IDS are detected

New Security Checks

  • Added a security check for FCKeditor cross site scripting vulnerability
  • Added a test for Liferay json Auth Bypass
  • Acunetix WVS now checks for Server Side Request Forgery
  • Added several security checks for IBM Tivoli Access Manager Web Server vulnerabilities
  • New security check for vulnerabilities in SharePoint Could Allow Elevation of Privilege (MS12-050)
  • Acunetix WVS now cheks for several DotNetNuke vulnerabilities (popular ASP.NET CMS)
  • Added a new security check for exposed Apache Solr Service
  • Remote code execution tests for Umbraco asp.net CMS software
  • Check for SWFUpload applet vulnerability in a large number of web applications
  • Added security checks for user controllable scripts and charsets

Improvements

  • Cross-site scripting (XSS) security checks were improved
  • HTTP Verb Tapering security script now bruteforces common or sensitive files and directories

Bug Fixes

  • Fixed: Incorrect handling of Internet Explorer’s Javascript substr implementation
  • Fixed: Login Sequence Recorder; ssl_write result was not handled correctly resulting in data not rendering correctly
  • Fixed: Display problem; alert/child count was not displayed correctly in some cases
  • Fixed: Developer report was not showing long urls in coverage report
  • Fixed: Saved credentials were not persistent in general settings

Build v8.0.20120704 – 4th July 2012

New Security Checks

  • Added a number of new HTML 5 Cross-site scripting security checks
  • Content-type text /xml responses are now being checked for XSS vulnerabilities
  • Using Windows 8.3 short filenames techniques to check for information disclosure
  • Checks for Microsoft IIS Tilde directory enumaration problems
  • A number of new security checks for Webadmin
  • Checking for MySQL, RubyonRails and phpMyAdmin SQL dump files on web applications
  • File disclosure via XXE Injection tests for Zend Framework
  • Information disclosure checks in environment variables

Improvements

  • Improved Directory Traversal security checks
  • Less false positives reported by the HTML Forms security checks

Bug Fixes

  • Custom cookies paths are now set correctly to the start URL
  • Login Sequence Recorder now executes Javascripts even if there are js errors
  • New discovered input parameters variations are added to the list of input variations rather than ignored

Build v8.0.20120613 – 13th June 2012

New Security Checks

  • New security checks for Microsoft SharePoint.
  • Debug Parameters test offers you the ability to check your web applications if common debug parameters, such as “?debug=1” disclose sensitive information.
  • New Cross-Site Scripting checks for Ruby on Rails / Homakov variants.
  • Security check for JetBrains .idea project directory.
  • ToolsPack backdoor verification.
  • Security check for Fantastico_Filelist information disclosure.
  • Tests for authentication bypass vulnerabilities in MySQL, MariaDB (CVE-2012-2122).
  • Check for Nginx restrictions bypass (CVE-2011-4963).
  • New checks when phpinfo() page is discovered: all html in such page is parsed and various alerts are issued reporting PHP configuration problems (display_errors on, register_globals etc).

New Features

  • Ability to export report in the Report Viewer.
  • Alerts you when HTML forms do not have CSRF protection.

Improvements

  • Rewrote the ASP_NET_Oracle_Padding security script.
  • Improved SVN/GIT repository security scripts.
  • Improved presentation for all the alerts generated by crawler by showing more attack details.

Bug Fixes

  • Login sequence recorder is now using the configured user-agent.
  • Cookies path parameters are better supported.
  • The scheduler authentication checkbox is restored properly if you press “Cancel”.
  • Fixed theTrace/Track HTTP method test security script issue.
  • The input forms which are part of the login sequence are no longer filled with HTML forms pre-configured data.
  • Fixed the namespaces issue on the Web Services scanner.
  • Corrected the requests which are generated by the scan results imported from the Firefox extension.
  • Blind SQL injection now reports the correct value in the alert details.
  • Fixed the Jquery problem: CSA select html element and options are now correctly handled.

Build v8.0.20120508 – 8th May 2012

New Security Check

  • Acunetix WVS checks if your PHP-CGI installation is vulnerable to remote code execution. For further information regarding this type of vulnerability, read the PHP-CGI advisory article here.

New Features

  • Ability to edit scheduled scans. No need for scheduling new scans every time you wish to change a scan setting.
  • Amend multiple scheduled scans simultaneously by selecting them and applying the required global changes.
  • Save all your scanned results and access them at any time from your scheduler’s scan history. You can also delete your scanned results from the web-based scheduler.
  • A new setting has been introduced to configure the maximum number of pages during a crawl.

Improvements

  • Improved Cross-Site Scripting (XSS) tests.
  • The web-based scheduler has been improved to run better in the latest version of Internet Explorer.
  • Enhanced SQL injection tests to reduce the false positives reporting even more.

Bug Fixes

  • The scheduled scans can be correctly imported after upgrading to a more recent build of Acunetix WVS 8.
  • The false positives settings node can now support changes from multiple instances at the same time.
  • Web Service Definition Language (WSDL) Scanner URL edit box is now able to save history.

Build v8.0.20120423 – 23rd April 2012

New Feature

  • Automatic verification of discovered web vulnerabilities.

Build v8.0.20120326 – 26th March 2012

New Security Checks

  • Acunetix WVS 8 runs security tests for Joomla 1.6.x/1.7.x/2.5.x Privilege Escalation
  • Acunetix WVS 8 provides security tests Joomla 1.7/2.5 Core SQL Injection

Improvements

  • More advanced security checks for MongoDB and Rails Mass Assignment.

Bug Fixes

  • The crash in the Login Sequence Recorder has been fixed.
  • The Login Sequence Recorder is accurately parsing websites which send back GZIP encoded content, even if it was not specified in the Accept-Encoding header.
  • The Acunetix Reporter has improved the handling of missing scans reports.
  • The Acunetix Reporter Console supports spaces within the specified parameters.
  • The Acunetix Reporter accepts longer input names.

Build v8.0.20120305 – 07th March 2012

New Security Checks

  • Scanning of Web Statistics Software Applications such as AWStats and Webalizer. Acunetix WVS crawls the result pages of your website(s) statistics software application and notifies you if sensitive data is disclosed in such pages.
  • Automatic checks for ASP Code injection vulnerability.
  • Further security checks for SQLite Databases.
  • Security checks for Rails Mass Assignment.

New Features

  • Ability to stop the website crawling and proceed with the scan at anytime.
  • Posibility to choose a scan report template that you would like to use when scheduling a scan.

Improvements

  • Scripts are being executed faster thus the scans are taking less time to complete.
  • Improved security scripts for Blind SQL injection, Remote File Inclusion XSS, File Inclusion and Directory Traversal.
  • If a variant check for a specific vulnerability times out, the next variant checks assigned for that type of vulnerability will be launched automatically.

Bug fixes

  • Crawler: input encoding was not correct for _EVENTTARGET = and /
  • Ansi string was not working correctly when using specific languages other than English.

Build v8.0.20120215 – 16th February 2012 – NEW VERSION

New Features

  • Manipulation of inputs from URL’s
  • Automatic IIS 7 rewrite rule interpretation
  • Support for custom HTTP headers during automated scans
  • Imperva Web Application Firewall integration
  • Multiple instance support for scanning multiple websites in parallel
  • New web-based Scheduler
  • Automatic custom 404 error page recognition and detection
  • Scan settings templates
  • Simplified Scan Wizard
  • Smart memory management
  • Real-time Crawler status
  • Scan termination status included in report
  • Web application coverage report
  • Configuration of log files retention

New Vulnerability Classes Checks

New Web Security Audit Checks

  • Check website content for Bazaar source code repository
  • Check website content for Mercurial source code repository
  • Check website content for source code GIT repository
  • Disclosure of HTML Forms in redirect pages
  • Security audit of alternative PHP cache
  • Check for insecure preg replace in PHP
  • Apache httpOnly Cookie Disclosure
  • Elmah Information Disclosure
  • Checks for Options web server method
  • PHP Hash Collision Denial Of Service
  • Plone&Zope Remote Command Execution
  • Checks for Reverse Proxy bypass
  • CakePHP web application Audit
  • Web applications Configuration File Disclosure
  • phpThumb web application audit
  • Struts2 Remote Code Execution
  • Tiny MCE web application audit
  • Uploadify web application audit
  • Webmail web application audit

Improved the Web Security Audit Scripts for

  • SQL Injection
  • XSS (Cross site scripting)
  • Code Execution
  • CRLF Injection
  • Directory Traversal
  • File Inclusion
  • PHP Code Execution
  • Backup Files
  • Sensitive Text Search
  • Secure Socket Layer configuration
  • Error Messages
  • ASP.NET Application Trace
  • .htaccess File Configuration
  • Http Verb Tampering
  • PHPInfo / PHP Configuration
  • Possible Sensitive Directories Disclosure
  • Possible Sensitive Files Disclosure
  • SQL Injection In Basic Authentication
  • SQL Injection In URI
  • SVN Repository Disclosure
  • Trojan Scripts
  • File Upload Form Audits
  • Generic Oracle Padding
  • Web Form based Authentication
  • LDAP Injection
  • Script Source Code Disclosure
  • XFS and Redir
  • XPath Injection
  • Apache Geronimo Default Administrative Credentials
  • ColdFusion v9 Solr Exposed
  • Error Pages with Path Disclosure
  • Frontpage Authors Passwords
  • Frontpage Extensions Enabled
  • IIS Unicode Directory Traversal
  • JBoss Web Server Configuration
  • Unprotected phpMyAdmin Interface
  • Web Server Version Checks
  • XML External Entity Injection
  • FCKEditor security audit
  • Struts2 XWork Remote Code Execution

Improvements

  • Smart Memory management (ability to scan larger websites)
  • Detection of more web security vulnerability variants