Seccubus v1.4 has been released

Seccubus v1.4 has just been released on SoureForge. Besides the rechristening of the tool, and some small enhancements this release also fixes a directory traversal vulnerability that allowed an attacker to download arbitrary files from the server with the rights of the apache process.

Here is the full changelog for this release:

17-12-2009

Seccubus v1.4 - Thy new name is…

• Ticket [ 2916275 ] - Rechristen tool Seccubus
• Ticket [ 2916290 ] - Directory traversal vulnerability in get_report.pl
  get_report.pl failed to do proper input validation when constructing a
  filename from user input. This lead to a directory traversal vulnerability
  which enable a remote (authenticated) user to read arbitrary files on the
  server with the rights of apache process.
  While Seccubus supports user authentication it does not enforce that
  authentication is configured upon installation of Seccubus
• Ticket [ 2916282 ] - do-scan enhancement, create dirs if they don’t exist
  If the directories findings and output are not present in var/ e.g. because the user did not copy .skel, but created files manually, do-scan will now create them for him.