Acunetix Premium Release Notes

v12.0.190927120 - 30 Sep 2019

Copy Link Copy Link

Version 12 (build 12.0.190927120 - Windows and Linux) 30th September 2019

New Features

Introduced new Scan Type: New Web Vulnerabilities to scan for new vulnerabilities introduced in the latest Acunetix update
Introduced ad-blocking in the scanner, resulting in faster scans
Implemented support for Session HTTP headers when logging in to the site
Introduced custom_settings.xml to configure settings from settings.xml, which are not overwritten on upgrade

New Vulnerability Checks

New test for insecure Java de-serialization causing RCE in SAP Commerce Cloud (CVE-2019-0344)
New test for a weak key used to sign a cookie in Yii2
New test for a weak key used to sign a cookie in Mojolicious
New test for Webmin 0day remote code execution (CVE-2019-15107)
Updated WordPress Core and WordPress Plugin vulnerability checks

Updates

The scan will now report when an invalid Selenium script is used as an import file
Improved detection of the type of Burp import file being used
Increased limit on Custom Headers
Multiple improvements in DeepScan
The LSR Record button is disabled during Login Action playback
Acunetix will start reporting login forms when no login credentials are configured
The tester user will not be able to create or view reports

Fixes

Fixed: Directory Traversal vulnerabilities were sometimes incorrectly reported as found with AcuSensor
Fixed: Several broken references in the vulnerability alerts
Fixed: HTTP Response was not shown in some vulnerability alerts
Fixed an issue causing DeepScan to take too long to process some locations
Fix in PHP Hash Collision DOS vulnerability check
Fixed: Integrated LSR was not working on IE11
Fixed: Selenium script playback fails for some scripts
Fixed: Session Detection fails if session pattern spans multiple lines
Fixed: LSR keeps showing the spinner on some pages
Fixed: LSR Session pattern was not always saved when detected using the navigation
Fixed: LSR Session pattern check might fail for in body / not in body patterns
Fixed: On some systems, Chromium processes cannot be terminated when generating PDF reports
Fixed: Passwords were recoverable from the UI
Better handling of HTTP timeouts by vulnerability checks

v12.0.190827161 - 28 Aug 2019

Copy Link Copy Link

Version 12 (build 12.0.190827161 - Windows and Linux) 28th August 2019

New Features

Implemented support for OpenSearch
Acunetix will try to discover hidden parameters and test them
Acunetix can now check base64 encoded JSON inputs for vulnerabilities

New Vulnerability Checks

New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767)
New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588)
New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768)
New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616)
New test for Jira RCE (CVE-2019-11581)
New test for Test for Atlassian Crowd RCE (CVE-2019-11580)
New tests for Python Code Injection
New test for Apache Spark RCE [https://spark.apache.org/security.html] (CVE-2018-11770)
New test for ColdFusion Deserialization RCE (CVE-2019-7091)
Implemented support for OpenID Connect Discovery
Detect and report Apple application association files
Added new checks for WordPress plugins, Drupal core and Joomla core

Updates

Updated UI to accept IPv6 addresses
Multiple improvements to DeepScan
Improved the Directory Traversal check
Updated the scan limits, reducing repeated requests to larger sites
Acunetix will now extract and process gzipped files
Multiple updates to parsing and heuristic crawler features
Improved the vulnerability deduplication – similar vulnerabilities will be reported once
Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file etc)
Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
Improved processing of Selenium scripts
Improved login form detection by Auto-Login feature
Improved WebLogic detection, and testing for default WebLogic credentials
Improved detection of Vulnerable JavaScript libraries check

Fixes

Fixed a number of issues causing the scanner to stop unexpectedly
Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
Fixed issue with WSDL parsing
Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
Fixed issue causing 100% CPU usage when processing certain pages
Fixed hang in the Acunetix Administrative Password utility on Windows
Fixed: DeepScan was not processing XHTML pages
Fixed issue causing Chromiumn process to remain active after PDF report generation
Fixed issue caused by background requests when recording a login sequence
Fixed issue when recording a login sequence on a site that uses cross-domain iframes
Fixed issue when parsing WADL
Fixed issue causing Host Header Attack false negatives

v12.0.190703137 - 04 Jul 2019

Copy Link Copy Link

Version 12 (build 12.0.190703137 - Windows and Linux) 4th July 2019

New Vulnerability Checks

New test for Joomla! Core CSV Injection vulnerability check [CVE-2019-12765]
New test for Joomla! Core XSS vulnerability check (CVE-2019-12766)
New test for Joomla! Core Security bypass (CVE-2019-12764)
New test for Oracle Weblogic XXE (CVE-2019-2647)
Added the detection of CDNs
Added the detection of reverse proxies

Updates

Auto-Login is now using the LSR functionality – this will improve auto-login in general
Improved detection of DOM XSS
Improved handling of invalid Selenium scripts
Improved handling of email addresses fields in web forms
Improved parsing of WSDL files
Implemented support for Proxy-Authenticate header
Improved crawling of Spring-based web applications
Updated LSR to automatically dismiss modal dialogs during playback
Reduced false positives in checks looking for sensitive and backup files
Reduced false positives in SSN number detection
Reduced false positives in XSS in URIs
Improved the detection of WAFs
LSR can now record actions within <iframe> elements
Jira Issue Tracker integration now supports HTTP Authentication with API key

Fixes

Fixed a crash when parsing SOAP messages
Fixed issue in interpretation of some Selenium scripts
Fixed a number of broken links in the Vulnerability Alerts
Autologin was recording the password in the log file
Fixed crash caused when reading specific swagger files
Fixed crash caused when reading specific large files
Fixed issue causing the scanner to go into a loop
Fixed issue causing crawler to not interpret correctly certain locations in JavaScript
Fixed issue in Manual Intervention
Fixed issue affecting sites using euc-kr encoding
Fixed Chromium issue caused when window.chrome is used by the site
Fixed issue causing Chromium not to load on Kali Linux
Fixed LSR playback issue caused when input field contained predefined text
SRI not implemented was being reported multiple times per host

v12.0.190515149 - 14 May 2019

Copy Link Copy Link

Version 12 (build 12.0.190515149 - Windows and Linux) 14th May 2019

New Features

Network Scanning via OpenVAS integration
Introduced support for IPv6 domains (IPv6 addresses not supported yet)
Dynamic resource allocation for when multiple scanners are started on the same machine
Improved resource usage for string comparison functions
Selenium scripts can now be used as import files

New Vulnerability Checks

NEW check for Memcached Unauthorized Access Vulnerability
NEW check for Redis Unauthorized Access Vulnerability
NEW check for SAP ICF /sap/public/info sensitive information disclosure
NEW check for SAP NetWeaver server info information disclosure
NEW check for SAP NetWeaver ConfigServlet remote command execution
NEW check for SAP Portal directory traversal vulnerability
NEW check for SAP NetWeaver ipcpricing server side request forgery
NEW check for SAP Management Console list logfiles
NEW check for SAP Management Console get user list
NEW check for SAP NetWeaver server info information disclosure
NEW check for SAP Knowledge Management and Collaboration (KMC) incorrect permissions
NEW check for SAP NetWeaver Java AS WD_CHAT information disclosure vulnerability
NEW check for SAP weak/predictable user credentials
NEW check for OpenCms Solr XML External Entity (XXE) vulnerability
NEW check for Confluence Widget Connector SSTI
New check for Ruby source code disclosure
NEW check for Python source code disclosure
Added new WordPress Core and WordPress Plugins vulnerability checks
Added new Drupal Core vulnerability checks
Added new Joomla Core vulnerability checks

Updates

Multiple improvements to the detection of Blind SQL Injection
Improved the Error Messages vulnerability check
Improved the Adobe Experience Manager tests
Improved detection of Java Deserialization and Mongo alert deduplication
Improved detection of Rails accept file content disclosure
Updated alert details for Oracle WebLogic Remote Code Execution via T3 (CVE-2018-3245)
Improved detection of Confluence
Improved PHP AcuSensor when used on nginx
Improved detection of PHP code injection
Updated Directory Traversal Check to make fewer requests
Multiple improvements to DeepScan and the LSR
Implemented support for WebSockets in LSR and Deepscan

Fixes

Fixed a few crashes
Fixed issue causing Postcrawl scripts to not be executed on folders
Fixed: Custom cookies could be used twice when the application sets the same cookies
Cookie processing now ignores leading . in domain
Fixed issue with LSR when used on Internet Explorer
Fixed issue with HTTP Authentication
Fixed false positive in Struts_RCE_S2-052_CVE-2017-9805
Fixed severity level for CSRF vulnerability check
Fixed False Negative in Mercurial repository found check
Fixed issue causing site structure not to be updated with locations identified by vulnerability scripts

v12.0.190404166 - 05 Apr 2019

Copy Link Copy Link

Version 12 (build 12.0.190404166 - Windows and Linux) – 5th April 2019

New Vulnerability Checks

Test for Remote code execution in bootstrap-sass 3.2.0.3 (CVE-2019-10842)
Test for Magento (2.2.0 to 2.3.0) Unauthenticated SQL Injection Vulnerability

Updates

Minor update improving efficiency of PerFolder checks
LSR: Disabled spellcheck for fields loaded
Deepscan: Improved exclusion of clicks on logout elements
LSR: clicks on some SVG elements where not being recorded
LSR: Session Pattern Detection now uses session headers provided by webapp

Fixes

Fixed 2 issues causing the scanner to stop unexpectedly
Scan progress was not always correctly saved when scan is paused
Session Pattern Detection was not always using the session headers provided by the webapp

v12.0.190325161 - 26 Mar 2019

Copy Link Copy Link

Version 12 (build 12.0.190325161 - Windows and Linux) – 26th March 2019

New Features

Verified vulnerabilities are now indicated by Acunetix

New Vulnerability Checks

Test for PHP opcache-status page
Test for Arbitrary File Read in Next.js
Test for Nagios XI Magpie_debug.php Unauthenticated RCE (CVE-2018-15708)
Test for Horde Imp Unauthenticated Remote Command Execution
Test for Cisco Identity Service Engine XSS (CVE-2018-15440)
Test for publicly available Apache balancer-manager application
Test for Rails File Content Disclosure in Action View (CVE-2019-5418)
Test for Apache Solr Deserialization of untrusted data via jmx.serviceUrl (CVE-2019-0192)
Added a test for /jolokia
Updated XSS checks to detect vulnerabilities on newer versions of Apache Tomcat
Added new WordPress Core and WordPress Plugins vulnerability checks

Updates

Updated Directory Traversal vulnerability check
Improved detection of Blind SQL Injection
On Linux, OOM Killer will now stop less important processes
Improve handling of XHR requests in Deepscan
Multiple improvements to the LSR and Session detection
Scan Stats are now retained between Pause/Resume
Improved the detection of paths from JSON and XML
Improve techniques used to detect type of input in web form
Multiple minor UI updates

Fixes

Fixed multiple instances of scanner stopping unexpectedly
Fixed false positive reported by WordPress plugin All in One SEO Pack privielege escalation check
Fixed issue causing the same web application to be detected multiple times
Some vulnerability alerts did not show the HTTP Response
Fixed issue causing incorrect processing of default values in forms
HTTP redirects were not being detected
Fixed issue in File Upload XSS vulnerability check
Fixed issue causing PerFolder scripts not to be executed on all folders
Fixed issue causing HAR file importing to fail
Fixed issue causing LSR to fail to load Target with uppercase address
Fixed issue causing SharePoint Reflected Cross-Site Scripting (CVE-2017-8514) not to be reported

v12.0.190227132 - 27 Feb 2019

Copy Link Copy Link

Version 12 (build 12.0.190227132 - Windows and Linux) – 27th February 2019

New Vulnerability Checks

Test for Drupal REST Remote Code Execution (CVE-2019-6340)
Tests for vBulletin 5 routestring Local File Inclusion Vulnerability
Tests for ThinkPHP v5.0.22/5.1.29 Remote Code Execution Vulnerability
Tests for uWSGI Unauthorized Access Vulnerability
Tests for FastGI Unauthorized Access Vulnerability
Test for Typo3 Restler 1.7.0 Local File Disclosure
A number of new vulnerability checks for WordPress Core and Plugins and Drupal Core

Updates

Update Source Code Disclosure checks to prevent False Positives
Unused paths are filtered out from AcuSensor data

Fixes

Fixed false positive in Expression Language Injection vulnerability check
Fixed issue in LSR / Deepscan when processing scripts overriding toJSON on Object

v12.0.190214162 - 15 Feb 2019

Copy Link Copy Link

Version 12 (build 12.0.190214162 - Windows and Linux) – 15th February 2019

Updates

Improved scanning of .NET web applications
Improved processing of CSS files
40% speed improvement when parsing pages
Various updates to WSDL processing

Fixes

Some invalid URLs were being incorrectly reported as external hosts
Fixed issue causing communication problem between scanner and backend
Allowed hosts were not always being scanned
Integrated LSR was not always working on Internet Explorer 11
Fixed LSR display problem when browser window is zoomed or resized
Fixed issue when importing Burp State file

v12.0.190206130 - 07 Feb 2019

Copy Link Copy Link

Version 12 (build 12.0.190206130 - Windows and Linux) – 7th February 2019

New Features

New Integrated Login Sequence Recorder – Login Sequences can be recorded directly from the Acunetix UI
Swagger (JSON and YAML) and WSDL can be used as import files

New Vulnerability checks

New checks for a number of WebBackdoors
New checks for elmah.axd information disclosure
New test for Stack Trace Disclosure in Django
New test for Stack Trace Disclosure in ASP.NET
New test for Stack Trace Disclosure in ColdFusion
New test for Stack Trace Disclosure in Python
New test for Stack Trace Disclosure in Ruby
New test for Stack Trace Disclosure in Tomcat
New test for Stack Trace Disclosure in Grails
New test for Stack Trace Disclosure in Apache MyFaces
New test for Stack Trace Disclosure in Java
New test for Stack Trace Disclosure in GWT
New test for Stack Trace Disclosure in Laravel
New test for Stack Trace Disclosure in Rails
New test for Stack Trace Disclosure in CakePHP
New test for Stack Trace Disclosure in CherryPy
New Directory Listing vulnerability checks
New Error Message vulnerability checks
New test for Oracle Reports RWServlet showenv
New test for Docker Engine API publicly accessible
New test for Docker Registry API publicly accessible
New test for Jenkins server user enumeration
New test for Jenkins server weak credentials
Added the following new tests for Adobe Experience Manager
- Day CQ WCM Debug Filter enabled
- LoginStatusServlet exposed (allows to bruteforce credentials)
- Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
- QueryBuilderFeedServlet public accessible, sensitive information might be exposed
- Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
- Test if the AEM Groovy Console is publicly accessible. Permits RCE
- Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) – RCE is possible
- Test if GQLServlet is publicly accessible. Sensitive information could be exposed
- Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
- Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006)
- Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
- Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected

Updates

Improved the scanning of sites using SOAP
Improved parsing of paths
TXT import now takes precedence over excluded paths
Improved the adherence of the scan scope
Improved the detection of the version of WordPress plugins
Improved the automatic session pattern detection in the LSR
LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions

Fixes

Fixed: Scan scope was not always respected
Technology detected during the scan was not being reported
Fixed several scanner unexpected termination issues
Fixed issue causing large PDF reports not to be generated
Fixed: AcuSensor file data is better filtered by scanner

Acunetix Standard & Premium

New Features

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Vulnerability Checks

Updates

Fixes

New Features

New Vulnerability Checks

Updates

Fixes

New Vulnerability Checks

Updates

Fixes

Updates

Fixes

New Features

New Vulnerability checks

Updates

Fixes