Drupal 6 security update for Session Limit module

by David Snopek on October 31, 2018 - 1:28pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the Session Limit module to fix a Insecure Session Management vulnerability.

The session limit module enables a site administrator to set a policy around the number of active sessions users of the site may have.

The module does not sufficiently tokenise the list of sessions so that the user's session keys can be found through inspection of the form.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Session Limit module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Search Autocomplete module

by David Snopek on October 17, 2018 - 11:55pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Search Autocomplete module to fix a Cross Site Scripting (XSS) vulnerability.

This Search Autocomplete module enables you to autocomplete textfield using data from your website.

The module doesn't sufficiently filter user-entered text among the autocompletion items leading to an XSS vulnerability.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

Note: We only support the 6.x-2.x branch (we don't have any customers on the 6.x-4.x branch), so that's the only one we're going to do.

If you have a Drupal 6 site using the Search Autocomplete module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 core security update for SA-CORE-2018-006 (and mimemail and htmlmail)

by David Snopek on October 17, 2018 - 6:17pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for Drupal core to fix multiple vulnerabilities. You can learn more in the security advisory:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-006

The following vulnerabilities mentioned in the security advisory also affect Drupal 6:

  • External URL injection through URL aliases - Moderately Critical - Open Redirect

  • Injection in DefaultMailSystem::mail() - Critical - Remote Code Execution

The first vulnerability is in Drupal 6 core, however, the 2nd is only present in the contrib modules: htmlmail, and mimemail. If you don't use those modules, you're not affected by the 2nd vulnerability.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Lightbox2 module

by David Snopek on October 10, 2018 - 12:40pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the Lightbox2  module to fix a Cross Site Scripting (XSS) vulnerability.

The Lightbox2 module enables you to overlay images on the current page.

The module did not sanitize some inputs when used in combination with a custom View leading to potential XSS.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Lightbox2 module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Announcing Drupal 6.45 (and selected contrib) for PHP 7.2!

by David Snopek on October 8, 2018 - 4:45pm

If you haven't heard yet, PHP 5 will reach the end of its security support (from the upstream project) in December of this year.

During DrupalCon Baltimore we announced that we'd be updating Drupal 6 to work with PHP 7.2, and, in September, we announced that we'd be making a big push to get that live with a couple of our customers.

Finally, we have something to show for it! :-)

So far, we've only tested with a few sites, so I'm sure there's some additional issues and bugs we haven't encountered yet. But we have an initial release of Drupal core and some selected contrib modules that work with PHP 7.2 in our testing.

And all our work so far has been released back to the community!

Read more for the details :-)

Drupal 6 security update for Print module (CRITICAL!)

by David Snopek on October 3, 2018 - 4:30pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the Print module to fix a Remote Code Execution (RCE) vulnerability.

The Print module provides printer-friendly versions of content, including send by e-mail and PDF versions.

The module doesn't sufficiently sanitize the arguments passed to the wkhtmltopdf executable, or HTML passed to dompdf or other PDF generation tools.

See the security advisory for Drupal 7 for more information.

NOTE: This vulnerability has a lower risk in Drupal 6 than in Drupal 7 (where it's Highly Critical). This is because you can't pass shell commands to execute using the HTTP basic auth user/pass, like you can in Drupal 7.

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Print module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

So, When Do I REALLY Need to Upgrade From Drupal 7?

by Elliot Christenson on September 20, 2018 - 1:07am

Drupal 8 was released on November 19, 2015 - nearly three years ago. The drastic architectural changes created a difficult upgrade path for those running Drupal 7. With the huge amount of investment in Drupal 7 over the previous 5 years, this set off shockwaves of fear across the Drupal ecosystem. Recently, Dries Buytaert, the project lead for Drupal, announced the planned launch of Drupal 9 in 2020. That signals the "End of Life" of Drupal 7 in November 2021. When do I need to upgrade?

By the way, that is more than ten years after the release of the first version of Drupal 7!

It's also the date of the "End of Life" of Drupal 8 (more on that later).

Drupal 6 on PHP 7

by David Snopek on September 5, 2018 - 2:59pm

Back in May, we announced that we'd be working on getting Drupal 6 core, and the contrib modules used by our D6LTS customers, working on PHP 7.2 before the end of the year.

This is largely because PHP 5 will be reaching it's End of Life (EOL) on December 31st, and will no longer be supported by the PHP maintainers, which means no more security updates.

How can we help keep your Drupal 6 site secure, if PHP itself is insecure?

Well, that deadline is coming up fast, and in fact, may be coming sooner than December for folks hosted with certain hosting companies!

Acquia just announced that they'll automatically switch all sites hosted on Acquia Cloud to PHP 7.1 on October 1st, less than a month away from now.

Inspired by this (read: some of our customers are hosted on Acquia ;-)) we're going to make a push to get a handful of brave D6LTS customers switched to PHP 7.1 or 7.2 by the end of September.

After proving this out with a handful of sites in September, we'll continue to roll that out to the rest of our customers in October, November and December.

Interested in getting involved? Wondering how much of this will be shared with the community?

Read the rest of the article!

Drupal support you can actually afford

by Sofia Saldana on August 9, 2018 - 4:07am

Having a Drupal site can be the best thing for your business: for the first few months or years.

However, like any other software, you can start experiencing some problems: security issues, software conflicts, feature upgrades - even simply forgetting how to perform some actions within the system! Having to fix issues could be expensive. Hiring support staff to help you with getting things done can be very expensive!

But there is a better way:

Organizations like what Katie and Henry run can't afford to have their website offline. This stops donations or sales from coming in, stops news and outreach, and can even put a halt to an entire web dependent organization!

Be like Katie and Henry and get your Drupal site protected with myDropWizard. Choose the Best Route!

Click play to watch the video.

Roundearth.io 101: Drupal 8 + CiviCRM for Beginners

by Elliot Christenson on July 25, 2018 - 9:49pm

We're Drupalers who only recently started digging deep into CiviCRM and we're finding some really cool things! This series of videos is meant to share those secrets with other Drupalers, in case they come across a project that could use them. :-)

There are millions of nonprofit organizations and small businesses across the planet: we want all of them using Roundearth! In the screencast below, we'll show what myDropWizard's Roundearth is all about and offer a brief glimpse at what it looks like logged-in.

Watch the screencast to see our brief overview of Roundearth:

Some highlights from the video:

  • What is Roundearth?
  • Who can use Roundearth?

Please leave a comment below!

Subscribe to Blog on myDropWizard.com

We're a Top 40 Drupal Blog!

o