Le Blog

Découvrez les dernières Nouveautés concernant Acunetix

Nouvelle version Acunetix version 12 (Windows/Linux build 12.0.181218140).

19 Décembre 2018


Acunetix version 12 (build 12.0.181218140 - Windows and Linux) has been released. This new build checks for vulnerabilities in Apache Solr, Apache mod)jk, Coldfusion, ACME mini_httpd, Spring Security. The new build also includes a number of updates and important fixes. The new vulnerability checks, updates and fixes are available for both Windows and Linux.

New Vulnerability checks

  • New test for Apache Solr XXE (CVE-2017-12629)
  • New test for RCE in Spring Security OAuth (CVE-2016-4977)
  • New test for Apache mod_jk access control bypass (CVE-2018-11759)
  • New test for Unauthenticated Stored XSS in WordPress Plugin WPML (CVE-2018-18069)
  • New test for ACME mini_httpd (web server) arbitrary file read (CVE-2018-18778)
  • New test for OSGi Management Console Default Credentials
  • New test for Flex BlazeDS AMF Deserialization RCE (CVE-2017-5641)
  • New test for common misconfigurations in ColdFusion
  • New test for AMF Deserialization RCE in ColdFusion (CVE-2017-3066)
  • New test for JNDI injection in ColdFusion (CVE-2018-15957)
  • New test for unauthenticated File uploading in ColdFusion (CVE-2018-15961)
  • New WordPress / WordPress plugin vulnerability checks
  • Updates

  • Improved the injection of payloads and other improvements in the handling of JSON data
  • Updated Chromium to fix Chromium vulnerability
  • Improved web application detection
  • Fixes

  • Corrected LSR launch message for Linux installations
  • Fixed Update License issue on Internet Explorer
  • Fixed several memory leaks/scanner closing unexpectedly
  • Fixed issue affecting the processing of some content types
  • Some cookies were being added multiple times during the scan
  • Some redirects were not being correctly handled
  • Some requests generated by the scanner incorrectly contained two backslashes ('//')
  • Fixed issue in the Backup Folders checks going out of scope
  • Several minor fixes
  • Importantes mises à jour pour Acunetix 12

    5 Décembre 2018
    blog.html
    Nouvelle versions Acunetix version 12 (Windows build 12.0.181203110, Linux build 12.0.181204095).


    DeepScan and Login Sequence Recorder (LSR). It also introduces support for Swagger and Kerberos HTTP Authentication in the Windows version and introduces support for NTLM HTTP Authentication in the Linux version. Also added a good number of new vulnerability checks, including a huge update increasing the detection of stored XSS, and vulnerability checks in major products such as Apache Tomcat, CouchDB, Apach ActiveMQ, Node.js, Oracle WebLogic, nginx, and others. The new build also includes a good number of updates and fixes. Unless otherwise stated, the new features / checks, updates and fixes are available for both Windows and Linux. New features Deepscan has been updated to make use of Chromium (Windows only - already included in Linux) Login Sequence Recorder has been updated to make use of Chromium (Windows only - already included in Linux) Acunetix can now test APIs document using Swagger (Windows only - already included in Linux) Introduced support for NTLM HTTP Authentication on Linux release (already included on Windows) Introduced support for Kerberos HTTP Authentication (Windows only)

    New vulnerability checks

  • A huge update increasing the detection of Stored XSS
  • New test for possible file creation using the HTTP PUT method
  • New test for Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12615)
  • New test for Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
  • New test for httpoxy vulnerability
  • New test checks if CouchDB REST API is publicly accessible
  • New test checks if CouchDB is vulnerable to Remote Privilege Escalation resulting in Remote Code Execution (CVE-2017-12635)
  • New test for Apache ActiveMQ default credentials
  • New test for Node.js Path validation vulnerability (CVE-2017-14849)
  • New test for GoAhead web server RCE via unsafe environment initialization of forked CGI scripts (CVE-2017-17562)
  • New test for publicly accessible Hadoop YARN ResourceManager WebUI
  • New test for jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
  • New test looks for Google Firebase Databases URLs in the response and checks if the Firebase Databases are accessible without authentication
  • New test for Oracle WebLogic Remote Code Execution vulnerability via T3 (CVE-2018-3245)
  • New test for Oracle WebLogic Authentication Bypass vulnerability (CVE-2018-2894)
  • New test checks if Jupyter Notebook is publicly accessible
  • New test for Apache Log4j socket receiver deserialization vulnerability
  • New test for NGINX range filter integer overflow (CVE-2017-7529)
  • New test for Xdebug remote code execution via xdebug.remote_connect_back
  • Numerous new checks for WordPress Core, WordPress plugins, Joomla Core and Drupal Core.
  •  

    Updates

  • Numerous memory management improvements
  • Multiple updates to LSR and session detection improving scanning of restricted areas
  • Improved speed of SQL Injection vulnerability checks
  • The new LSR / Deepscan will improve support of JavaScript rich sites
  • Added mock geo-location support to support scanning sites that require geo-location
  • Improved analysis of XML and JSON
  •  

    Fixes

  • Fixed scanner crash when scan was resumed from paused state
  • Fixed some issues in the handling of cookies
  • Custom cookies were not always used
  • Content-Type header was not always being sent. This affected the detection of some vulnerabilities
  • Fixed a false positive in SSL weak key length vulnerability check
  • Fixed issue in the Social Security Number and Credit Card number check
  • Fixed issue with AcuSensor download on Linux release
  • Fixed issue causing scans to be aborted when server returns an invalid charset
  • Fixed a number of other issues causing the scanner to close unexpectedly
  • Fixed a few security issues discovered internally
  • Sensitive and Backup files were not being checked for in the site root
  • Fixed issue with jquery version extractor
  • Fixed 2 internally reported security issues
  • Fixed issue with re-installation of Linux installations
  •  

    Nouvelles vulnérabilités détectées par Acunetix 12

    25 Juin 2018
    0
    Acunetix v12 (build 12.0.180619111) est disponible.

    Cette version permet de détecter de nouvelles vulnérabilités pour WordPress, Django, multiple Spring Framework et pour les produits Atlassian.

     

    Liste complète ci dessous :

    Spring Data Commons RCE via Spring Expression Language (SpEL) injection (CVE-2018-1273) Atlassian OAuth Plugin IconUriServlet SSRF, affecting multiple Atlassian products (CVE-2017-9506) WordPress REST API User Enumeration Django Debug Mode via DisallowedHost Tests for PHP-FPM (FastCGI Process Manager) Status Page Check for common test CGI scripts that are leaking environment variables Check Spring Boot Actuator information disclosure Check for RCE via Spring Boot WhiteLabel Error Page Spring Expression Language (SpEL) Atlassian Jira ManageFilters Information Disclosure

    Nouvelles fonctionnalités Acunetix 12
    et nouveaux tests de Vulnérabilités web.

    21 Juin 2018
    0

    • Lancement du système automatique pour éviter de tester les mêmes pages

    • Nouveau check pour Oracle Weblogic WLS-WSAT Component Deserialization RCE affecting versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 (CVE-2017-10271)

    • Nouveau check pour PHPUnit RCE versions 4.8.28 and 5.x avant la 5.6.3 (CVE-2017-9841)

    • Nouveau check Edge Side Include Injection vulnerabilities • Nouveau check Dotenv (.env and variants) files

    • Nouveau check pour Joe Text Editor DEADJOE

    • Nouveau check pour Symfony configuration file • Nouveau check pour Laravel (PHP framework) log files

    • Nouveau check des repertoires de backup dans Drupal.

    Mises à jour

    • Optimisation du nombre de timeout et d’essais des requêtes HTTP

    • MAJ de la détection des applications pour réduire le nombre de requêtes HTTP pour des scans plus rapides.

    • Diverses mises à jour sur l’ UI.

    • Meilleur gestion des robots.txt.

    • Détection améliorée des fichiers d’index.

    • Acunetix affiche le nombre de cibles sous licence dans la section « License ».

    Correctifs

    • Some addresses were not parsed correctly, resulting in incorrect paths

    • Some addresses were not detected, resulting in missing paths

    • Some paths were being detected incorrectly • Scanner crash when allowed hosts are used

    • Scanner crash when parsing some pages

    • Scanner hang when crawling caused by DeepScan

    • No links parsed from pages without Content-Type header • Some vulnerability checks duplicated the query values

    • Sitemap was always being detected

    • Fixed validation issues in Security Settings > Account Lockout > Lockout timeout

    • License checks was failing for some installations.

    Quoi de neuf dans ACUNETIX 12 ?

    22 Mai 2018

    • Vitesse de Scan multipliée par 2 (le programme a été entièrement ré-écrit et optimisé en C++).

    Support des nouvelles technologies JavaScript (ES7).

    Nouveau AcuSensor pour les applications JAVA. (TECHNOLOGIE PROPRIETAIRE)

    Pause et Reprise de scan.

    • Exclusion direct de partie à scanner de la structure du répertoire directement depuis l’interface graphique.

    Nouveau : Désormais est inclus un outil de gestion de la politique des mots de passe.