Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
This is a place for us to start seriously talking about vendors. Who's great, who's not, what's it cost, how does it relate to their competitors and would we buy it? A place to talk about snakeoil, and brilliant products alike. Marketing fluff is forbidden. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Acunetix Web App Scanner has GPL'ed some sections ?
Posted by: andresRiancho
Date: October 19, 2008 01:14PM

List,

For some reason I finally decided to give Acunetix scanner a try, so I opened the very nice (?) CD case they gave me at OWASP with the evaluation version, and installed it in my box. The installation failed (I only tried with wine), and whenever I tried to run it I got a nice "report your bug" window (once again, my fault because I was trying it with wine). So... without being able to actually run the tool, I went to the directory and started reading some files, until something got my attention:

...
<Copyright>GPL</Copyright>
...

WTF? Then I did some more checking...

dz0@brick:~/.wine/drive_c/Program Files/Acunetix/Web Vulnerability Scanner 5/Data/Profiles/VulnXML$ grep GPL * -Rs | wc -l
596
dz0@brick:~/.wine/drive_c/Program Files/Acunetix/Web Vulnerability Scanner 5/Data/Profiles/VulnXML$

And well... yes... it seems that they have GPL copyright for all the VulnXML, which has some interesting information (at least for me), because they have all the errors database for SQL injection, and other "error based detection" vulnerabilities. I know that copyright is not the same as License... but... in this case I think that it could be? Or maybe the copyrights for those files are assigned to a company called GPL? (????)

After that, I decided to see which files weren't actually GPL:

dz0@brick:~/.wine/drive_c/Program Files/Acunetix/Web Vulnerability Scanner 5/Data/Profiles/VulnXML$ grep Copyright * -Rs | grep -v GPL
Blind_SQL_injection_(number_no_end).xml: <Copyright></Copyright>
Blind_SQL_injection_(number).xml: <Copyright></Copyright>
Blind_SQL_injection_(second_string_no_end).xml: <Copyright/>
Blind_SQL_injection_(second_string).xml: <Copyright></Copyright>
Blind_SQL_injection_(string_no_end).xml: <Copyright/>
Blind_SQL_injection_(string).xml: <Copyright></Copyright>
Sift_Unity_Cross-Site_Scripting.xml: <Value>Copyright Sift Group Ltd</Value>
dz0@brick:~/.wine/drive_c/Program Files/Acunetix/Web Vulnerability Scanner 5/Data/Profiles/VulnXML$

So... this is interesting... Some files don't have copyright, and one of them is copyrighted to "Sift Group Ltd".

Finally, I would like to ask you guys some questions:

- Anyone noticed this before?
- Is this a "licensing bug"?
- I'm just guessing but... maybe they HAD to leave this as GPL because they took the information from a GPL project?

If anyone has some insight info, please share ;)

Cheers,

--
Andres

Options: ReplyQuote
Re: Acunetix Web App Scanner has GPL'ed some sections ?
Posted by: nullmind
Date: October 20, 2008 07:34AM

Well, to be honest I didn't notice when I tried but I don't think that is a licensing bug

Acunetix surely is a union of other projects which might use their own licenses, isn't uncommon for this kind of projects, every module is either developed inside the company or borrowed from someone who already did it

The GPL license (AFAIK) let's you use products that are not licensed under GPL by using excepcions, for instance, if you consider a typical LAMP installation, you'll see you're playing with several different licenses, Apache, PHP License 3.0, and most importantly MySQL's GPL license excepcion for PHP

As far as acunetix goes, I think that is just a project build using modules licensed under different conditions :)

Options: ReplyQuote
Re: Acunetix Web App Scanner has GPL'ed some sections ?
Posted by: andresRiancho
Date: October 20, 2008 10:06AM

@nullmind: Thanks for your answer!
@all: Any other opinions?

--
Andres

Options: ReplyQuote
Re: Acunetix Web App Scanner has GPL'ed some sections ?
Posted by: kuza55
Date: October 23, 2008 11:55PM

In my experience Acunetix has failed miserably; it has flagged a lot of crap that is really a non-issue, given me a lot of false positives and not found any results.

[EDIT]: To be fair I was using a warez copy, so it was probably a bit out of date, but still, it didn't find anything I cared about, anywhere. And I gave it plenty of chances against different platforms and targets.

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]



Edited 1 time(s). Last edit at 10/23/2008 11:57PM by kuza55.

Options: ReplyQuote


Sorry, only registered users may post in this forum.