Forum OpenACS Development: Re: Towards OpenACS 5.9.1

Collapse
4: Re: Towards OpenACS 5.9.1 (response to 1)
Posted by Gustaf Neumann on
In the development of OpenACS 5.9.1, many changes in the oacs-5-9 branch are the result of vulnerability scanning with tools like acunetix. In particular, many of the demo scripts at openacs.org had serious security issues. Note that an attitude "these are just demo programs" is bad, since the demo programs are as well available per default on every OpenACS site, therefore these vulnerabilities are affecting these sites as well.

Since a vulnerability scanner fires typically 100-200 valid and invalid requests per second for multiple days to the web-site, many little errors and insufficient error handling show up during these runs. Therefore, i've further cleaned up the applications used at openacs.org.

One nice consequence is that the number of errors in the error.log was reduced significantly. During the last week, only a single error message showed up in the error.log in the last week, where we have about 1/second in the year average (orange line). Also the warnings were reduced by a factor of 40 (compare avg values of year char vs. week chart). Note that the scales of the carts are logarithmic.

Week statistics of entries in error.log 2016-07-26:


Year statistics of entries in error.log 2016-07-26:

Graphics are generated with the munin-plugins from [1]
https://github.com/gustafn/munin-plugins-ns