Acunetix Standard & Premium

New Features and Vulnerability Tests

• Added support for Selenium scripts as Target Import files
• Introduced various vulnerability checks for CMS Made Simple including:
  • PHP Remote File Inclusion (RFI) in version 0.10 (CVE-2005-2846)
  • SQL Injection in version 1.0.5 and earlier (CVE-2007-2473)
  • Directory Traversal in version 1.8.1 and earlier (CVE-2010-2797)
  • Web Server Cache Poisoning in versions 2.1.3 and earlier and 1.12.2 and earlier (CVE-2016-2784)
  • Cross Site Request Forgery (CSRF) in version 2.1.6 and earlier (CVE-2016-7904)
  • Cross Site Scripting (XSS) in version 2.1.6 and earlier (CVE-2017-6555)
  • Cross Site Scripting (XSS) in version 2.1.6 (CVE-2017-6556)
  • Local File Inclusion in version 2.1.6 and earlier

Improvements

• Various minor UI updates
• Improved handling of aborted scans for Targets with Continuous scanning enabled
• Increased Custom Cookie size limit from 512 bytes to 10Kb (2Kb for Acunetix Online)
• Added new email templates
• Email notification now indicates if a scan has failed
• Multiple minor updates to the reports
• Updated the Error Message script to show full JAVA error messages
• Tech Admin role can now create and alter Scan types.

Fixes

• Scan Comparison was incorrectly switching the order of the scans
• Scan Comparison was incorrectly comparing with Allowed host
• Fixed bug in the licensed user limit
• Fixed bug causing scans to fail when the LSR contains Unicode characters
• Multiple fixes in XML export
• Multiple fixes in F5 WAF rules export
• Fixed 2 minor security issues in web interface
• 2 fixes affecting incorrect vulnerability count in Dashboard
• Fixed the retesting of vulnerabilities for Targets requiring manual intervention
• Fixed the Targets page incorrectly showing that the Target is being scanned, when an ongoing scan is deleted.

New Features and Vulnerability Tests

• Added detection for Apache Struts Remote Code Execution (s2-052)
• Added detection for Apache Struts Remote Code Execution (s2-053) – CVE-2017-12611
• Check for Header Injection via misconfigured nginx redirects
• Check for nginx Integer Overflow vulnerability (CVE-2017-7529)

Improvements

• Improved the detection of Blind SQL Injection
• Better support for large JavaScript files
• JAVA error detection now includes the full JAVA error returned by the server
• Improved the Remote File Inclusion XSS checks
• Updated the Joomla and WordPress vulnerability checks

Fixes

• Fixed bug causing the downloading of a Target’s LSR file to fail
• Fixed bug in HTTP Digest Authentication

New Features and Vulnerability Tests

• Detection of Apache Struts 2 Showcase RCE (CVE-2017-9791)
• Check for .hgignore (Mercurial SCM configuration file)
• Check for Atlassian Confluence Stored XSS (CVE-2016-6283)
• Check for private key files with names based on ScanHost, e.g. “www.example.org.key”, “example.org.key”
• Check for moment.js Denial of Service (CVE-2016-4055)
• Various updates to the WordPress and Joomla checks
• Introduction of Multi-Engine functionality for Enterprise customers

Improvements

• Updated the Database backup file checks
• Improved Jquery version fingerprinting
• Updated detection of HttpOnly and Secure cookie flags
• Updated default Target list sorting

Fixes

• Fixed XSS detection issue
• Minor fix to the allow_url_fopen enabled check
• Fixed F5 BIP-AP ASM WAF XML export
• Fixed issue causing Acunetix not to be able to install on Chinese OS

New Vulnerability Tests

• New check for Joomla SQL Injection Vulnerability (CVE-2017-8917)