As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Moderately Critical security release for the Views module to fix an Access Bypass vulnerability.
The Views module enables you to create custom displays of Drupal data.
When creating a View, you have the option to enable the use of AJAX. The Views module does not restrict access to the AJAX endpoint to only Views configured to use AJAX. This is mitigated by having access restrictions on the view.
Here you can download the Drupal 6 patch for 6.x-2.x or 6.x-3.x.
If you have a Drupal 6 site using the Views module, we recommend you update immediately.
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
It also proposes a possible path for fixing it: building an Open Source platform for nonprofit websites built on Drupal 8 and CiviCRM, available as a SaaS with hosting and support included.
Next week, we're planning to talk more details about how that BETA process will work!
However, this week, I wanted to take a little break from that, and talk more about CiviCRM in Drupal 8.
So, in this article, we're goning to:
Walk through how to install CiviCRM on Drupal 8. It's quite complicated now, but we're helping to improve that.
Talk about why we're betting on CiviCRM and not a CRM built in Drupal. There's a couple of great, pure Drupal solutions to CRM, like RedHen or CRM Core - but we've chosen to go with CiviCRM. Why?
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Moderately Critical security release for the Facebook Like Button module to fix an Cross Site Scripting (XSS) vulnerability.
The module provides a Facebook Like button on node pages and blocks.
The module doesn't sufficiently sanitize certain configuration fields.
If you have a Drupal 6 site using the Facebook Like Button module, we recommend you update immediately.
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
My colleague, Elliot, recently wrote a controversial article called "Drupal sucks at non-profits," which led to some really great discussion in the comments. The general consensus is that Drupal 8 is great for big nonprofits (and big organizations in general) but has left the little guy behind.
Drupal used to be AWESOME for small nonprofits... How can we make it awesome again?
This is something we've been discussing internally for a long time, and we'd like to take a stab at a possible solution with the help of the community and some adventurous nonprofits.
In fact, we'd like to offer a FREE migration to Drupal 8 for 10 nonprofit organizations :-)
But, we'll get to that a little later! First, I'd like to dig into why the current situation kinda sucks...
Like many of you, I have a few sites that are fairly complex, utilize dozens of modules - and still run on Drupal 6. At this point, I don't want to invest the time to migrate them to Drupal 7 because I feel the momentum is finally beginning to shift into high gear for Drupal 8.
So, how do you know whether the Drupal 8 ecosystem is ready for a relatively straightforward migration? Thankfully, there are some great resources available!
If you're a non-profit volunteer, board member, director, or staff, should you be afraid of using Drupal for your website needs?
There's been a lot of doom and gloom in the Drupal Community with Drupal 8 being more complex than ever! Other "content management systems" (a.k.a. CMS's) have long claimed that "Drupal is hard", "Drupal is expensive".
Is Drupal hard? Is Drupal 8 even "harder"? Is it "too expensive" for your non-profit?
Does Drupal suck at non-profits?
In this article, I take a deep dive, looking at what non-profits need from a website and how well Drupal can provide for those needs.
Read on to see what I think, and PLEASE, share your thoughts in the comments below!
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Moderately Critical security release for the SMTP module to fix an Information Disclosure vulnerability.
This SMTP module enables you to send mail using a third party (non-system) mail service instead of the local system mailer included with Drupal.
When this module is in debugging mode, it would log privileged information.
With the help of the D6LTS vendors, a new version was released.
If you have a Drupal 6 site using the SMTP module, we recommend you update immediately.
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
We received a couple e-mails asking if it affected Drupal 6, so I decided to post this short article to say:
Happily, Drupal 6 is not affected! :-)
Of the 3 vulnerabilities in that SA, the two Drupal 8 ones don't apply to Drupal 6: it doesn't have REST or YAML support.
We did extensive testing to see if the Drupal 7 one applied to Drupal 6, including, testing the 'upload' module (in Drupal 6 core) and with the contrib 'filefield' and 'webform' modules and couldn't reproduce the vulnerability.
(FYI, since we have access to the private Drupal security queue, we did our testing several months ago :-))
So, if you still use Drupal 6, you don't need to worry about a core update today!
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Moderately Critical security release for the Search 404 module to fix an Cross Site Scripting (XSS) vulnerability.
The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found.
The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search".
If you have a Drupal 6 site using the Search 404 module, we recommend you update immediately.
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
