Topic: SimpleViewer SWF Vulnerabilities
Hi, I ran the Flash file for SimpleViewer against HP SWFScan and received the following vulnerabilities:
SWFScan Vulnerability Report:
a) MD5 Hash Detected
Fix: The application should only use cryptographically secure hashing algorithms, such as SHA-224, SHA-256, SHA-384, or SHA-512. Hashes representing sensitive data should be salted to reduce the effectiveness of rainbow tables.
b) Debug Messaging
Fix: Set 'Omit Trace Actions' to 'true'. The Omit Trace Actions flag in Flash development environments tells the compiler to remove any trace commands when creating the compiled SWF file. This will make the published SWF smaller and it will remove any excess information or actions from the SWF.
c) Potentially Interesting Name Encountered
Fix: Before an application moves into production, make sure it is configured securely, and that information of potential value to an attacker is not being left in your application code. If applicable, remove this information from the production server.
d) Possible Application Information Disclosure
Fix: Before an application moves into production, make sure it is configured securely, and that information of potential value to an attacker is not being left in your application code. If applicable, remove this information from the production server.
The scan can be found here: https://h30406.www3.hp.com/campaigns/20 … hp?key=swf
One of my clients requires that the HPSWF scan returns a clean result. Any way the SV team can quickly fix these? They seem like pretty simple fixes from our end.