Acunetix Premium - v9.5.20140602

New Features

  • Added a check for Open Flash Chart ‘ofc_upload_image.php’ Remote PHP Code Execution Vulnerability which affects various web applications including WordPress plugins, Joomla! components, piwik, and others
  • Added a test for Joomla! v3.2.2 SQL Injection vulnerability
  • Added a script which checks for various known Drupal vulnerabilities (in Drupal modules and Drupal core)
  • Added a test for SFTP/FTP credentials exposure. Various SFTP/FTP clients are storing connection credentials in plain text files (such as sftp-config.json, recentservers.xml, etc.) that are later uploaded on the web server
  • Added a test for “Same Site” Scripting
  • Added a test for Parallels Plesk SSO (Single sign-on) XXE (XML External Entity) and XSS (Cross-Site Scripting) vulnerabilities
  • Added a test for systems running PHP versions < 5.5.12, 5.4.28 (multiple vulnerabilities fixed in these versions including the Heartbleed bug affecting PHP)
  • Added a test looking if the Elasticsearch service is accessible
  • Added a test for Elasticsearch remote code execution
  • Added a test for nginx SPDY heap buffer overflow (CVE-2014-0133)
  • Added a test for Adobe ColdFusion 9 Administrative Login Bypass
  • Added a test for multiple vulnerabilities affecting Ioncube loader-wizard.php file
  • Added a test looking for Apache Roller OGNL Injectio
  • Added a test for Apache Tomcat JK Web Server Connector security bypass.
  • Added a test looking for XSS vulnerabilities in GWT Google Web Toolkit - CVE-2012-4563, CVE-2012-5920, CVE-2013-4204
  • Added detection of PHP framework CodeIgniter
  • Added a test that checks for server-side redirects from http:// to file://
  • Added a test looking for weak encryption keys in CodeIgniter-based web applications
  • Added a test looking for insecure Django strip_tags implementation
  • Added a test for JBoss Seam 2.3.1 Remoting Vulnerabilities
  • Added detection and a check for the latest version of Typo3 web application
  • Added a test looking for Adobe Cold Fusion directory traversal and information disclosure (CVE-2013-3336)
  • Added the following Cross Domain Data Hijacking vulnerability checks:
  • Added a test looking for Database connection strings information disclosure
  • Added a test for CodeIgniter <= 2.1.3 xss_clean() Filter Bypass
  • Added an alert for WordPress username enumeration
  • Added a test for ExtJS charts.swf XSS (distributed with Typo3)
  • Added a test for Ruby on Rails directory traversal (CVE-2014-0130)
  • Added a test for WordPress plugin All In One SEO Pack security vulnerabilities.

Improvements

  • Improved PHP version detection and OS detection
  • Improve existing ColdFusion checks
  • Improved SQL injection detection and added better error messages for IDM DB2 databases
  • Improved XXE testing, introduced more test-cases as per this document
  • Implemented server-name extension for TLS.

Bug Fixes

  • Fixed issue were links originating from XHR are invalidated
  • Fixed issues when inserting data in the reporting database
  • Fixed issue with Invalid report dates when Microsoft Access is used for the Reporting database
  • Web service editor didn’t used updated proxy settings
  • HTTP editor - alert boxes not loading on Windows Server 2003 caused by Internet Explorer security restrictions
  • Corrected CVE classification
  • Fixed issue affecting some cases of crawl results from previous versions whereby the input method was not loaded properly
  • Fixed crawler crash when sitemap file is invalid
  • Apache_CN_Discover_New_Files.script script was double encoding URIs got from Apache
  • Fixed various issues caused when the scan is paused.