What steps will reproduce the problem?
1. Set Flex Compiler properties: -debug=false -optimize=true
2. Run HP's WebInspect or HP's SWFScan on a compiled swf with Google Analytics
What is the expected output?
No vulnerabilities for GA.
The following report is displayed:
Summary
An indication that the trace() function is being utilized was detected due to
the presence of debug messaging.This can represent a serious security concern
as path names and other information can be revealed. Recommendations include
removing all debugging messaging from the application code before it is placed
on production servers.
Fix
Set 'Omit Trace Actions' to 'true'. The Omit Trace Actions flag in Flash
development environments tells the compiler to remove any trace commands when
creating the compiled SWF file. This will make the published SWF smaller and it
will remove any excess information or actions from the SWF.
What version of the product are you using?
gaforflash-1.0.1.319
Adobe Flex Builder 3
Flex API 3.2
Windows XP
Please provide any additional information below.
SWFScan indicates
package: com.google.analytics.debug
Class: Layout
Original issue reported on code.google.com by LanceM...@gmail.com on 7 Jul 2011 at 4:05
Original issue reported on code.google.com by
LanceM...@gmail.comon 7 Jul 2011 at 4:05