Drupal is great for nonprofits. What about managing relationships?

by Elliot Christenson on January 3, 2018 - 11:21am

As Drupalers, we spend a lot of time thinking about websites - but the website is only the first step! If your beautiful Drupal site is doing its job, then people will be able to find you and contact you. But what happens then?

Whether you're starting a new venture, or you're working in an existing organization, there is a need to track these touchpoints.

Some organizations take an ad hoc approach using paper records, an email-centric approach in Gmail or Outlook, or even Google or MS-Office documents.

This might seem like a totally fine solution! It certainly can be made to work for awhile. Scaling is one obvious issue - a shared spreadsheet or email mailbox can quickly become chaotic with more than a few users.

Another issue is the tendency for silos to crop up:

  • What about when you need print mailings created?
  • What about when you need a different type of data captured - like event participation?
  • What about tracking email newsletters?
  • SMS campaigns?

Wouldn’t be great to have a tool to keep track of ALL the people who have contacted, some information about them, and ALL the interactions you’ve had with them?

Drupal 6 version of 'me aliases' module not affected by SA-CONTRIB-2017-097

by David Snopek on December 20, 2017 - 1:31pm

Today, there was a Highly Critical security advisory for a Remote Code Execution (RCE) vulnerability in the me aliases module for Drupal 7:

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

This module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

It was incorrectly handling URL arguments that could allow an attacker to execute arbitrary PHP code.

However, the way the Drupal 6 version of the module handles URL arguments isn't vulnerable in the same way. So, Drupal 6 users can rest easy - your site isn't affected by this issue.

But if you do use it on Drupal 7, given the criticality of this issue, please update right away!

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

CiviCRM secrets for Drupalers: Email Campaigns

by Elliot Christenson on December 13, 2017 - 8:14pm

We're Drupalers who only recently started digging deep into CiviCRM and we're finding some really cool things! This series of videos is meant to share those secrets with other Drupalers, in case they come across a project that could use them. :-)

Most Drupalers at one time have had to deal with either sending e-mail newsletters directly from Drupal, or integrating with a 3rd party tool like Mailchimp or Constant Contact.

CiviCRM has built in e-mail newsletter functionality, and if you add to it the WYSIWYG e-mail builder Mosaico you can build really rich, responsive e-mail campaigns!

Watch the video here:

Some highlights from the video:

  • A sneak peek at Round Earth: our project that bundles Drupal 8 + CiviCRM
  • Drupal 8 + CiviCRM vs. "only" Drupal
  • A quick walk-through on how to quickly and easily create an email campaign
  • Plus, we mention a couple of current "gotchas" that could save you frustration!

Please leave a comment below!

Drupal 6 security update for Mailhandler!

by David Snopek on December 6, 2017 - 2:37pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the Mailhandler module to fix a Remote Code Execution (RCE) vulnerability.

Remote Code Execution vulnerabilities are scary - it basically means that an attacker can run arbitrary code on your site. However, there a number of mitigating factors in this case, so, it's recommended to read the security advisory for Drupal 7.

With the help of the D6LTS vendors, a new version was released for Drupal 6 as well.

You can also download the patch the patch.

If you have a Drupal 6 site using the Mailhandler module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Agencies: Don't keep passwords in your wiki!

by Elliot Christenson on November 15, 2017 - 10:16am

You spend so much time writing secure code, and doing security updates, but you're putting all of that in danger with your wiki. A huge percentage of agencies put passwords into wikis - and other shared resources!!!

Using a shared Google/Office document, spreadsheet - even with black text on a black background - isn't much better! So, think of "wiki" in this context as being any "low-cost, low-security, high-accessibility, super-convenient storage."

You are putting your agency AND your customers at risk by keeping passwords in your company wiki!

Read more to find out why, and a better way to do it!

Using lots of different tools? Do it all in Drupal instead!

by Elliot Christenson on November 8, 2017 - 11:43pm

You need a website. You need to send an e-mail newsletter. You need to track (potential) volunteers, donors, or customers. You could use Drupal, Mailchimp and HubSpot. Or you could do it all in Drupal.

We've been using the tools above in our own organization, and we continue to use them. Yet, we've been toying with the idea of moving more of our daily usage to a more Drupal based solution. I'll try to outline some of the pros and cons of each approach. I think you'll see for many organizations the Drupal solution could end-up on the winning side of the decision!

Drupal 6 security update for Autologout 6.x-4.x

by Elliot Christenson on November 1, 2017 - 3:16pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Autologout module to fix a Cross Site Scripting (XSS) vulnerability.

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module does not sufficiently filter user-supplied text that is shown when logging a user out. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

NOTE: This only affects the Autologout 6.x-4.x branch -- the 6.x-2.x branch (which we also support) isn't vulnerable.

If you have a Drupal 6 site using the Autologout module, we recommend you update immediately.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

It's OK to build new sites on Drupal 7

by David Snopek on October 17, 2017 - 4:11pm

In about a month, it'll be 2 years since Drupal 8.0.0 was released. Drupal 8 has come a long way since then, especially with Drupal 8.4.0 released two weeks ago, which is the most feature-packed release yet.

Drupal 8 is the future of Drupal. It's awesome.

However, looking at all the blogs and articles and podcasts in the Drupalsphere, we're sending a message that you should only build new sites on Drupal 8.

The common wisdom is that starting a new project on Drupal 7 is dumb idea.

While I'm sure there's lots of people who are OK with that or even think that's the right message...

I strongly believe that we are hurting the Drupal project by sending that message.

Read more to find out why!

Drupal 6 version of netFORUM Authentication not affected by SA-CONTRIB-2017-077

by David Snopek on October 11, 2017 - 1:37pm

Today, there was a Moderately Critical security advisory for an Access Bypass vulnerability in the netFORUM Authentication module for Drupal 7:

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

The module was bypassing protections on the Drupal 7 user login form, to deter brute force attempts to login to the site, and so was an Access Bypass vulnerability by making login less secure when using this module.

However, Drupal 6 (including Pressflow 6) don't have these same protections for the user login form, and so, using this module is no less secure than using vanilla Drupal 6. Of course, these protections could be added to this module, and while this would be great security hardening, this doesn't represent a vulnerability - only a weakness which is also present (and widely known) in Drupal 6 core.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 8: Now a Great Podcast Platform

by Elliot Christenson on October 11, 2017 - 10:25am

If you are an agency, solo Drupaler, or just want to add a podcast to your organization's marketing, this might be of interest to you. I created a very simple podcast module...

Subscribe to Blog on myDropWizard.com

We're a Top 40 Drupal Blog!

o