Release Notes

Acunetix Standard & Premium

RSS Feed

v8.0.20130619 - 19 Jun 2013

Copy Link Copy Link
Build v8.0.20130619 - 19th June 2013

New Features

Improvements

  • Reduced false positives in XSS detection
  • Improvements to Web Server Default Welcome Page script
  • Reduced false positives reported by Blind SQL Injection
  • Improvements in the detection of Sensitive Directories
  • Added patterns for Python error messages and stack traces in the Text Search script.

Bug Fixes

  • Fixed an issue in PHP AcuSensor
  • In some situations, the Login Sequence Recorder misidentified connections to HTTPs sites when working through the Acunetix Web Vulnerability Scanner proxy
  • Fixed crash in the crawler when external JavaScript files where processed from a site with AcuSensor enabled
  • Fixed a false positive in Microsoft IIS Tilde Directory Enumeration
  • Fixed issues where scheduled scans with recursion are not rescheduled if they cannot start because of scan restrictions
  • Fixed a bug with Amazon S3 Public Buckets audit KB items being reported multiple times

v8.0.20130416 - 18 Apr 2013

Copy Link Copy Link
Build v8.0.20130416 - 18th April 2013

New Features

  • Added a test that enumerates valid WordPress usernames using various techniques.
  • Added a test for weak WordPress passwords for the usernames identified during the scan.
  • Added a test that identifies common WordPress plugins. For each plugin identified, Acunetix WVS will try to enumerate the plugin name, short description, installed version and latest version of the plugin. This information is shown in a Knowledge Base item.
  • Added a test that identifies Amazon S3 public buckets.
  • Added a test for the security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX (Adobe Vulnerability ID: APSB13-10; CVE-2013-1387, CVE-2013-1388)
  • Added a test looking for Apache Tomcat SessionExample servlet that can allow session manipulation.
  • Added a test for Drupal Views Module Information Disclosure Vulnerability.
  • Added a test for Gallery v3.0.4 Remote Code Execution.
  • Added a test for Jenkins Dashboard (http://jenkins-ci.org/).
  • Added a test for Roundcube Webmail Security updates 0.8.6 and 0.7.3.
  • Added a test for WordPress 3.4.2 Cross Site Request Forgery.
  • Added a test looking for a Cross-Site Scripting vulnerability in older versions of jQuery which affected Drupal amongst others.
  • Added a test looking for SQL Injection in Symphony v2.3.1 (CVE-2013-2599)

Improvements

  • Client Script Analyser: Optimized script source retrieval (modernizr-2.5.3.js)
  • Improved XSS in URI script to test for Apache Tomcat Path Parameters.
  • Improved WordPress Pingback Scanner test.
  • Improved Blind SQL Injection script.
  • Improved Crossdomain_XML script.
  • Improved Directory Traversal script.
  • Improved Error_Message script.
  • Improved URL redirection script.
  • Improved XSS testing script.
  • The amount of input schemes has been reduced for known applications, improving the scan performance for such web applications.

Bug Fixes

  • Fixed an issue which caused false positives to occasionally show up in the report for Scheduled Scans.
  • Better handling for META http-equiv=”refresh” tags by the Crawler.
  • Fixed an issue in error_messages_helpers.inc script.
  • Fixed a minor bug in the Scheduler UI (Bug ID: 364)
  • North and South Korea are now correctly identified in the Product Activation Wizard.
  • Scans were sporadically entering a loop when scanning certain sites using a login sequence and the CSRF check was enabled.
  • WebApps scripts were being invoked even though they were excluded in the scanning profile

v8.0.20130308 - 08 Mar 2013

Copy Link Copy Link
Build v8.0.20130308 - 8th March 2013

New Functionality

  • Added a test for Kayako Fusion v4.51.1891 – Multiple Web Vulnerabilities
  • Added various tests for Apache Tomcat
  • Added a test for CKEditor 4.0.1 Cross-Site Scripting vulnerability
  • Added a test for Moveable Type 4.x Unauthenticated Remote Command Execution
  • Implemented detection of Virtual Hosts on the target server
  • Implemented jQuery 1.9 support
  • Added a test for subversion 1.7 (.svn) repositories
  • Added a test for Parallels Plesk SQL Injection Vulnerability (CVE-2012-1557).
  • Implemented some tests looking for various Unicode transformation issues such as Best-Fit Mappings, Overlong byte sequences and Ill-Formed Sub-sequences
  • Added header input schemes for folders
  • Added identification of file names in input scheme parameter values. Any file names detected are subsequently crawled

Improvements

  • Various improvements to XSS tests
  • Improved Possible_Sensitive_Directories script
  • Improved jQuery attr() support
  • Improved Virtual Host Directory Listing test
  • The report of 404 – Page Not Found now instructs users to checks the Referrers tab for a list of pages linking to the broken link

Bug Fixes

  • Fixed a crash that occurs infrequently when configuring a scheduled scan
  • Fixed various minor issues in the scan scheduler

v8.0.20130205 - 05 Feb 2013

Copy Link Copy Link
Build v8.0.20130205 - 5th February 2013

New Features

  • New 14 day Evaluation version will replace the Free Edition. Evaluating users can now perform full scans of the Acunetix test websites and of their websites. The Evaluation version has the following limitations:
    • The vulnerability details are only shown when scanning Acunetix test websites
    • Results cannot be saved
    • Reports are disabled
    • Scheduled scans are disabled

Improvements

  • Changed prioritisation of TLS protocol over SSLv3. This provides better support for IIS 7.5 web servers, which previously refused connections from Acunetix Web Vulnerability Scanner.

Bug Fixes

  • Fixed crash that occurs when the Scan Wizard is used while the Login Sequence Recorder is running
  • Fixed crash in Session Manager

v8.0.20121213 - 13 Dec 2012

Copy Link Copy Link
Build v8.0.20121213 - 13th December 2012

New Features

  • New report template for ISO 27001

New Security Checks

  • During a scan Acunetix WVS checks if the MongoDB web interface is open on the external interface
  • Check for included scripts which are from an invalid hostname
  • Added a new module for testing Slow HTTP Denial of Service attacks like Slowloris
  • Added a new security check that tries to guess various internal virtual hosts (information disclosure)
  • Checks for phpLiteAdmin default passwords

Improvements

  • Improved the SQL Injection detection for SQLite3
  • Further improved the Cross-Site Scripting security check
  • Added detailed descriptions to all the Acunetix WVS security scripts
  • Removed all broken web references in vulnerability reports and added several new ones
  • Improved the Joomla! security scripts for more enhanced security scanning of Joomla! portals

Bug Fixes

  • Fixed a text wrapping issue in the compliance reports
  • Fixed an issue where the CSA engine was being executed multiple times against the same file during a scan
  • User-Agent header is now included with the in-session check request
  • Login Sequence Recorder now uses the timeout value specified from settings
  • Fixed several crashes when the Login Sequence Recorder was used against some specific websites

v8.0.20121113 - 13 Nov 2012

Copy Link Copy Link
Build v8.0.20121113 - 13th November 2012

New Security Checks

  • New PHP code execution test for Invision Power Board

Improvements

  • We’ve improved the Acunetix SDK by introducing a new UI for selecting script targets
  • All web security scripts now send the Referrer header during tests, which means that websites that check referrers can now be scanned properly.
  • The XSS security script has been further improved.

Bug Fixes

  • We’ve added a cache-control HTTP header to crawler requests.
  • Several issues in the crawler have been fixed so you can now crawl larger websites

v8.0.20121106 - 06 Nov 2012

Copy Link Copy Link
Build v8.0.20121106 - 6th November 2012

New Features

  • Schedule up to 2,000 website security scans using a CSV file.
  • Ability to exclude WSDL inputs from a scan from the WSDL scan wizard.

New Security Checks

  • Added a new security check for IIS global.asa / global.asax backup files.
  • Added a new remote code execution security check for vbseo 3.6.0.
  • New arbitrary PHP code execution security check for Drupal.
  • New information disclosure security check for Drupal.
  • Added several web security checks for Ekton CMS.
  • New XSS security check that can find vulnerabilities in Referrer headers.

Improvements

  • Scheduler UI now supports pagination for faster load time.
  • Improved XSS vulnerabilities detection in URIs.
  • Improved Input Fields entries for better crawling of websites.

Bug Fixes

  • Client certificates are now being used from the Login Sequence Recorder.
  • Fixed a crash in the compare scans template.
  • Fixed an AcuSensor injection problem with .NET Framework 4.0 applications.
  • Fixed several Sensitive Directory vulnerabilities false positives.
  • Fixed a Login Sequence Recorder crash.

v8.0.20121003 - 03 Oct 2012

Copy Link Copy Link
Build v8.0.20121003 - 3rd October 2012

New Features

  • Added a new option to allow offline activation of Acunetix WVS
  • Added heauristic input limitations in crawler for more efficient scanning

New Security Checks

  • SQL Injection tests for OpenX web application
  • Cross-site scripting checks for IBM Lotus Domino Web Server
  • Search for MySQL connection details when scanning a website
  • Detection of phpMyAdmin v3.5.2.2 backdoor

Improvements:

  • Further enhanced the XSS security check
  • Improved Remote file inclusion security check
  • Local file inclusion tests have been improved to better handle Java based applications
  • When importing scan results to reporting database using the console, the database scan ID will be reported

Bug Fixes

  • Fixed a crash when trying to stop the crawler and the CSA engine was still working
  • User specified client certificates are now being used by the Login Sequence Recorder
  • The exit button from LSR was not fully visible in some situations
  • Login Sequence Recorder now uses the configured scan settings templates
  • Manual browser now uses the correct user specified User-Agent string

v8.0.20120911 - 11 Sep 2012

Copy Link Copy Link
Build v8.0.20120911 - 11th September 2012

New Features

  • A new option that allows you to specify a different email address for each configured scan in the scheduler.
  • HTTP Fuzzer number generator now supports padding, e.g. you can use a leading zero i.e. from 01 to 10.
  • A new option to specify if the latest cookie from the scanned website should be used rather than the one discovered during crawling.
  • New option to force scanner to not overwrite user specified custom cookies with newer cookies from the scanned website.
  • Ability to import multiple HTTP Sniffer captures to the same crawl.
  • Ability to merge HTTP Sniffer captures to existing website crawls.

New Security Checks

  • Added a test for .Net Cross Site Scripting (Request Validation Bypassing).
  • New security check for MediaWiki security issues.

Bug Fixes

  • Fixed a Crossdomain in an XML false positive.
  • Fixed the Scan Wizard back button issue; there were instances were it was not working correctly.
  • Fixed a bug in the scanner to scan only website files found during a crawl.
  • Fixed a memory leak in the Client Script Analyser engine.
  • The Login Sequence Recorder User-Agent string is now the same in both the header and in the scripting code.
  • Fixed a bug within the WSDL scanner “Customize” button.
1 20 21 22 27