Acunetix WVS Build History

Build v6.5.20100616 – 16th June 2010

Change

  • All vulnerability checks which used http://.acunetix.com test websites, now are using http://.vulnweb.com

Build v6.5.20100601 – 19th April 2010

New Feature

  • Added OWASP top 10 2010 report template

Bug Fix

  • Fixed: Proxy crashes when processing some specific SSL traffic

Build v6.5.20100419 – 19th April 2010

Bug Fix

  • Fixed: Access violation when the application exits

Build v6.5.20100407 – 7th April 2010

Bug Fixes

  • Fixed: Login Sequence Recorder was not using client certificates when recording a login sequence
  • Fixed: Login Sequence Recorder was not using the configured User Agent string
  • Fixed: HTTP Sniffer was not handling some specific web authentication properly

Build v6.5.20100303 – 3rd March 2010

New feature

  • Added a new option to export results to HTTP Fuzzer

New Security Checks

  • Test for XML External Entity Injection
  • Test for XML Injection

Improvements

  • Improved directory traversal vulnerability check
  • Improved Cross-site Scripting (XSS) vulnerability checks

Bug Fixes

  • Fixed: access violation when the application exists
  • Fixed: access violation when protocol was terminated in NotifyCaller function in LSR
  • Fixed: AbortVulnXML OnFirstAlert was not imported from settings
  • Fixed: Form values were not encoded correctly when submitted from JavaScript (CSA engine)

Build v6.5.20100210 – 10th February 2010

New security check

  • Test for Cross Site Scripting in the Referrer header

Improvement

  • Acunetix Firefox extension now supports latest Firefox release

Bug Fixes

  • Crawler: Html decode form inputs before usage
  • Fixed an infinite recursion when crawler reported an external link from the same host but on a different port
  • Fixed an issue with the crawler with parsing robots.txt file
  • Web Services scanner: Fixed parsing of WSDL files with attributes

Build v6.5.20100203 – 3rd February 2010

New security checks

  • 8.3 DOS filename source code disclosure
  • Apache Tomcat Directory Host Appbase authentication bypass vulnerability
  • Apache Tomcat WAR File directory traversal vulnerability
  • Apache stronghold-info enabled
  • Apache stronghold-status enabled
  • ColdFusion 9 Solr Service exposed
  • Error page path disclosure
  • Error page web server version disclosure
  • File inclusion RFI list
  • Checks for multiple vulnerabilities in XAMPP
  • Server-Side Includes (SSI) injection on Unix
  • Server-Side Includes (SSI) injection on Windows
  • ASP.NET error messages when requesting URL like |.aspx

Improvements

  • Added more variants to FCKeditor arbitrary file upload
  • Updated cross site scripting in path security checks
  • Updated directory listing security checks
  • Updated directory traversal on Unix security checks
  • Updated file upload security checks
  • Updated LDAP injection security checks
  • Updated possible sensitive files security checks
  • Updated XPath injection security checks

Bug Fixes

  • Workaround for window.open used with NULL parameter
  • Notify elements that they are unbidden
  • Notify form if an input was removed
  • Include select element values in submitted data
  • Fixed: HttpProt was sending content length with CONNECT
  • Fixed: Crawler didn’t consider post data for links from CSA engine; some where ignored
  • Fixed: Login sequence recorder was sending requests synchronously

Build v6.5.20100111 – 11th January 2010

New security checks

  • Test for File Upload IIS bug filename.asp;.jpg
  • Test for WP-Forum 2.3 vulnerabilities
  • JBoss rmi ping (network script)

Bug Fixes

  • Bugfix: Modified forms notifications from CSA
  • Bugfix: CSA: Workaround for window.open with null parameters
  • Fixed: In some specific scenarios the scheduler queue was restarting on its own
  • Fixed: Node was not expanding automatically when manually adding a new logout link in the LSR

Build v6.5.20091215 – 15th December 2009

New security checks

  • JBoss BSHDeployer MBean
  • JBoss checks from RedTeam’s paper
  • JBoss HttpAdaptor JMXInvokerServlet
  • JBoss Server MBean
  • JBoss ServerInfo MBean
  • JBoss Web Console JMX Invoker
  • phpShop v0.8.1 Multiple Vulnerabilities
  • Invision Power Board <= v3.0.4 Local PHP File Inclusion and SQL Injection

Improvements

  • Improved Blind SQL injection tests to reduce false positives
  • Added better JBoss server detection
  • Better detection for Postgre SQL injections

Bug Fixes

  • Fixed: GUI crashes when specific settings are changed in the Port Scanner node
  • Fixed: Login Sequence recorder was retaining post data when redirecting to the same page

Build v6.5.20091130 – 30th November 2009

Bug Fixes

  • Fixed: crash in TM_MultiRequest_Parameter_Manipulation module
  • Fixed: bug in crawler related with GetVar encoding

Build v6.5.20091124 – 24th November 2009

New

  • New security checks of AcuSensor Technology
    • curl_exec() url is controlled by user
    • PHP preg_replace used on user input
    • PHP super-globals-overwrite
    • PHP unseriazlie used on user input
  • Other new security checks of Acunetix WVS
    • osCommerce authentication bypass
    • Apache Tomcat insecure default administrative password
    • Apache Tomcat directory traversal
    • Checks for PHP invalid data type error messages
    • Check for possible remote SWF inclusion
    • Added further checks for possible sensitive files; general tests per server
    • Added further checks for possible sensitive directories; general tests per server
    • Added a new security check for SQL injection in the authentication header (basic authentication, base64 encoded)
    • Added AlertIfTextNotFound group parameter to invert search and issue an alert if a specified text is not found

Improvements

  • Renamed Weak password module to Authentication module since now it includes much more authentication security checks
  • Improved Cross-site scripting in URI checks to include Ruby on rails security checks
  • Improved Application errors security checks
  • Introduced 3 new setting parameters for the crawler in Settings.XML file:
    • 262144
    • 256
    • 1000

Bug Fixes

  • Fixed: false positives issued in weak password alert
  • Fixed: WSDL importer crash when importing recursive complex elements
  • Fixed: Crawler proxy request handling changed to decode the input name/value
  • Fixed Vulnerability Editor to show group parameters with default values if no VulnXML template is used
  • Changed HTTP_Anomalies to log PHP errors and save the results in a file (instead of alerts)Changed HTTP_Anomalies to log PHP errors and save the results in a file instead of alerts
  • Hidden VulnXML properties for alerts that are not using vulnxml default template in Vulnerability Editor
  • Adjusted VulnXML to reduce the number of false positives for Blind SQL injection timing tests
  • Updated CSA engine; delete the BOM characters from script sources
  • Updated URL_Helper; UrlEncode/Decode modified not to use str := str + ch and to validate hex characters after %
  • Updated File_Inputs; possible values are limited in size now

Build v6.5.20091027 -27th October 2009

Bug Fixes

  • Fixed: Redirect on LoginSequenceStep was not followed correctly
  • Fix in URL Rewrite module to remove GetVars before matching rules

Build v6.5.20091012 -12th October 2009

Bug Fixes

  • Fixed: Memory leak when invoking state change handler
  • Fixed: Item index for an item which has just been inserted fails in the Browserframe
  • Fixed: Error in indexing the get variables when redirecting in Session management

Build v6.5.20091005 – 5th October 2009

New

  • Added a new check for SVN repositories

Improvements

  • Improved MultiRequest paramenter manipulation; now using the form matcher to match parameter values
  • Improved SQL injection tests
  • Improved Application error tests

Bug Fixes

  • Fixed: Links from HTML comments and other sources that are not trusted where not checked if they are from the same host as the base
  • Fixed: Login sequence not working properly with HTTP authentication
  • Fixed: MessageDlg was used in inittempfiles in console mode
  • Fixed: WinInet bug to resent the request if the server accepts client certificates
  • Fixed: Redirect from index.php to index.php was not working

Build v6.5.20090917 – 17th September 2009

New

  • Added two new blind SQL injection tests
  • Added a new scanning profile for stored XSS only
  • Added HTTP verb tempering using POST method check

Improvements

  • Improved appearance for compliance report by adding visual markets and several other presentation enhancements

Bug Fixes

  • Fixed temporary files access issue
  • Fixed issue where HTTP Proxy was dublicating the connection: keep-alive header
  • Fixed issue where HTTP Proxy was putting the authorization header from fake basic authentication into server request
  • Fixed a problem where credentials configured through command line where not working properly in particular situations

Build v6.5.20090813 – 13th August 2009

Improvements

  • HTML forms settings node was renamed to Input Fields. This node now can also be used to pre-define web services operations values.
  • New SQL Injection tests added
  • New XSS tests (unicode) added

Build v6.5.20090728 – 28th July 2009

New Features

  • Manual Intervention module: better support for CAPTCHA and modern authentication mechanisms

Improvements:

  • Added new variants of blind SQL injection tests (now testing both AND and OR boolean operators)
  • Added new tests for SQL Injection with charset GBK/Big5
  • Added new variants for Cross site scripting

Bug Fixes

  • Fixed several issues with CSA (Client Script Analyzer) engine.

Build v6.5.20090622 – 22nd June 2009

Improvements

  • Better cookies handling in several modules
  • Implemented exception handler in Login Sequence Recorder

Bug Fixes

  • Handled issue when non-responsive hosts triggered download dialog

Build v6.5.20090618 – 18th June 2009

New Features

  • Implemented Blind SQL Injection (timing) for web services scanner
  • Implemented HTTP authentication for web services scanner

Bug Fixes

  • Fixed problem related to File Inclusion in AcuSensor Technology
  • Fixed a problem in ssl_ping network script

Build v6.5.20090519 – 20th May 2009 – NEW VERSION

New Features


  • File upload forms vulnerability checks

  • New Login Sequence Recorder; supports much more authentication forms and web technologies
  • Session Auto Recognition module; if the session is invalidated or logged out during crawling, the scanner will automatically replay the login sequence without the need of manual intervention
  • Actions drop down menu; for each selected node, the actions drop down menu is activated showing all possible functions
  • Much more checks and alerts for JSP, Java and Tomcat web server

Major Improvements

  • Improved cookie management and session handling to support modern dynamic websites
  • Port scanner and Network Alerts results will appear in a separate node in the results tree
  • Users can import Version 6 settings to Version 6.5
  • Added blind SQL injection timing test using MySQL’s sleep and MS SQL’s waitfor function. This will help in discovering particular blind SQL injections that do not report a change on the page