soumavachakraborty / gaforflash

Automatically exported from code.google.com/p/gaforflash
Apache License 2.0
0 stars 0 forks source link

WebInspect and SWFScan indicate vulnerability with GA #87

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1.  Set Flex Compiler properties: -debug=false -optimize=true
2.  Run HP's WebInspect or HP's SWFScan on a compiled swf with Google Analytics

What is the expected output?
No vulnerabilities for GA. 

The following report is displayed:
Summary
An indication that the trace() function is being utilized was detected due to 
the presence of debug messaging.This can represent a serious security concern 
as path names and other information can be revealed. Recommendations include 
removing all debugging messaging from the application code before it is placed 
on production servers.

Fix
Set 'Omit Trace Actions' to 'true'. The Omit Trace Actions flag in Flash 
development environments tells the compiler to remove any trace commands when 
creating the compiled SWF file. This will make the published SWF smaller and it 
will remove any excess information or actions from the SWF. 

What version of the product are you using?
gaforflash-1.0.1.319
Adobe Flex Builder 3
Flex API 3.2
Windows XP

Please provide any additional information below.
SWFScan indicates 
package: com.google.analytics.debug
Class: Layout

Original issue reported on code.google.com by LanceM...@gmail.com on 7 Jul 2011 at 4:05