We received a couple e-mails asking if it affected Drupal 6, so I decided to post this short article to say:
Happily, Drupal 6 is not affected! :-)
Of the 3 vulnerabilities in that SA, the two Drupal 8 ones don't apply to Drupal 6: it doesn't have REST or YAML support.
We did extensive testing to see if the Drupal 7 one applied to Drupal 6, including, testing the 'upload' module (in Drupal 6 core) and with the contrib 'filefield' and 'webform' modules and couldn't reproduce the vulnerability.
(FYI, since we have access to the private Drupal security queue, we did our testing several months ago :-))
So, if you still use Drupal 6, you don't need to worry about a core update today!
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Moderately Critical security release for the Search 404 module to fix an Cross Site Scripting (XSS) vulnerability.
The Search 404 module enables you to redirect 404 pages to a search page on the site for the keywords in the url that was not found.
The module did not filter administrator-provided text before displaying it to the user on the 404 page creating a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer search".
If you have a Drupal 6 site using the Site Verify module, we recommend you update immediately.
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
When you're running your non-profit, there is so much to do: basically an unlimited amount of work, right? Board meetings, fund-raising - and then there's the actual world-changing work you signed-up to do!
Our ongoing series of helpful tips (click here to subscribe via e-mail) continues today with some help on how to efficiently manage one of the most common and important aspects of any non-profit: EVENTS.
In this article, we'll talk about how to setup events in Drupal, and at the end, there's a video tutorial showing the process step-by-step.
As part of our series discussing the use of Drupal in non-profits (click here to subscribe via e-mail), we recently reached out to one of our favorite clients, WIEGO, who candidly shared some of their struggles and successes.
Since re-launching their site on Drupal almost 6 years ago, they've grown from a site with 50 static pages, to a searchable, categorized repository of news and knowledge spanning over 22,000 articles!
In this case study, we gain some insights into how organizations like WIEGO decided on Drupal, have lived with some of the growing-pains, and are planning to move forward into the future!
As part of our ongoing series of blog posts intended to help you utilize Drupal in your non-profit, this week we decided to discuss an important part of all non-profits: donations and fundraising. Drupal can be used to display and promote your donations, track your donors and amounts, and even integrate with various payment systems. There are three main ways to accomplish many of these needs through Drupal: E-commerce "Shopping Carts", Basic Drupal Payments Integration, and Payment Widgets.
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Moderately Critical security release for the Site Verify module to fix an Cross Site Scripting (XSS) vulnerability.
The Site Verify module enables privilege users to verify a site with services like Google Webmaster Tools using meta tags or file uploads.
The module doesn't sufficiently sanitize input or restrict uploads.
If you have a Drupal 6 site using the Site Verify module, we recommend you update immediately.
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Critical security release for the AES encryption module.
The AES module provides an API for encrypting and decrypting data via AES. It also allows storing Drupal passwords encrypted in the database (rather than hashed) which can allow site administrators with high enough permissions to view user passwords.
Previously, the module implemented AES poorly, such that the encryption was weakened and could have potentially made it easier for an attacker to decrypt given enough examples of the encrypted data.
(A note about the timing of this release: the AES module was unsupported on March 1st, and we started working on a fix right away in the D6LTS queue. We usually release D6LTS patches the same day the D7/D8 patches are posted or two weeks after a module is unsupported, however, in this case we had only a single Enterprise customer using AES and so we worked on it according to a timeline dictated by them, which involved testing their custom modules using the AES API with their team. So, we're releasing this after it's been fully tested and deployed for our one affected customer - if more customers had been affect it would have been released same-day, as usual.)
If you have a Drupal 6 site using the AES module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
The presentation wasn't recorded at the time, but it was so well received that I decided to record it again at my desk so I could share it with a wider audience. :-)
Here's the video:
(Sorry, for the poor audio! This was recorded sort of spontaneously...)
Lots of non-profit organizations use Drupal - they're actually our biggest group of customers! In working with so many non-profit organizations, we've come across some common problems non-profits have with their Drupal sites. We're going to do a series of articles with tips for non-profits -- this is this first one! (click here to subscribe and get them all via e-mail)
One of the most common problems is how to promote and acknopwledge sponsors, donors, in-kind volunteers on their website. Where to fit all the logos/names?
In this blog post, I'm going to tackle one of the most popular solutions: putting them in a sildeshow.
(There's other techniques which we'll look at in future articles!)
Read more to learn how to add a sponsor slideshow to your site!
As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!
Today, there is a Moderately Critical security release for an Access Bypass vulnerability the Legal module.
The Legal module displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted.
It had a bug where a specially crafted URL could allow anyone to login to a user account that hadn't yet accepted the terms and conditions. This is mitigated by the fact that an attacker must have a way to obtain the URL, possibly by snooping on web traffic that isn't protected via HTTPS or a man-in-the-middle attack.
(A note about the timing of this release: per our agreement with the Drupal Security Team, we were unable to release this patch until the same vulnerability was fixed for the Drupal 7 Legal module, or two weeks went by after that module was unsupported, if it appeared it wasn't going to be fixed. The fix for Drupal 7 was released today.)
If you have a Drupal 6 site using the Legal module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)
If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.
Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).
