Drupal 6 security update for CKEditor module

by David Snopek on March 18, 2020 - 3:22pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the CKEditor module to fix a Cross Site Scripting (XSS) vulnerability.

The CKEditor module provides one way to integrate CKEditor into Drupal.

Due to the usage of the JavaScript eval() function on non-filtered data in the admin section, it was possible for a user with permission to create content visible in the admin area to inject specially crafted malicious script.

The problem existed in CKEditor module for Drupal, not in JavaScript libraries with the same names, however, it's highly recommended that you update to the latest version of the CKEditor JavaScript library as well, because it also recently fixed some XSS vulnerabilities.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch or the full release.

If you have a Drupal 6 site using the CKEditor module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Is Your Drupal Site Protected from Cancellation?

by Elliot Christenson on March 4, 2020 - 11:10pm

With world events as they are recently, many events and products have been cancelled. Timelines have been pushed off, budgets have been cut - there is a lot of uncertainty. What is the contingency plan for your Drupal site?

Drupal 9 is coming out soon. What to do to get ready?

by Elliot Christenson on February 5, 2020 - 9:55pm

As you may have heard, Drupal 9 is coming soon. Are you ready for it? What are the steps you can do to be ready? There are 3 main things you can do to prepare, read on!

Drupal 9 is Coming Out in June. What To Do About Drupal 7!?

by Elliot Christenson on January 8, 2020 - 11:41pm

According to Drupal.org, Drupal 9 is scheduled to be released on June 3, 2020. It is scheduled to be released alongside a "LTS" minor version of Drupal 8 at the same time. What happens with Drupal 7?

There are three important things to know - and some associated dates:

  • When does community support end?
  • When does extended support end?
  • What should you do?

myDropWizard will give Extended Support to all current Drupal 7 customers!

by Elliot Christenson on December 19, 2019 - 12:04am

In November 2021, Drupal 7 will be End-of-Life (EOL). To continue getting security updates, you'll need to get Extended Support (D7ES). But if you sign up before EOL, you'll get automatic security updates until then AND a better price when EOL comes.

Drupal 6 security update for Webform module

by David Snopek on December 11, 2019 - 2:45pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the Webform module to fix a Cross Site Scripting (XSS) vulnerability.

The Webform module is for making forms and surveys in Drupal. 

It doesn't sufficiently sanitize token values taken from query strings. If a query string token is used as the value of a markup component, an attacker can inject JavaScript into a page.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch or the full release.

If you have a Drupal 6 site using the Webform module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

What happens when the Drupal Security Team marks a module as unsupported?

by David Snopek on November 13, 2019 - 8:44pm

You may have noticed that today the Drupal Security Team marked 16 modules as unsupported, due to the module maintainer not fixing a reported security vulnerability after a sufficiently long period of time.

Among those modules, there were a few very popular ones like Admininistration Views and Nodequeue, which have have reported ~118k and ~40k sites using them, respectively.

Everytime a popular module is unsupported, there's a certain amount of panic and uncertainty, so I wanted to address that in this article, both for the Drupal community at large, and for our customers in particular, because we promise to deploy security updates the same day they are released.

Read more to see our perspective!

Wizards & Robots Save Drupal Websites From Non-Stop Attack!

by Elliot Christenson on October 16, 2019 - 7:53am

All versions of Drupal are under attack - no different than other software. What can be different is that websites are often custom, complex, and can be attacked seconds after an exploit is made public. myDropWizard's Support "Wizards" and our automated process "Robots" are continually working to keep you backed up, supported, and secured from all types of threats.

Drupal 6 security update for Ubercart module

by David Snopek on October 2, 2019 - 1:32pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Ubercart module to fix a Cross Site Scripting (XSS) vulnerability.

The Ubercart module provides a shopping cart and e-commerce features for Drupal.

The order module doesn't sufficiently sanitize user input when displayed on an invoice leading to a XSS vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "edit orders".

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch or the full release.

If you have a Drupal 6 site using the Ubercart module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Contact myDropWizard About Drupal 7 Life Support

by Elliot Christenson on September 18, 2019 - 8:22pm

We are less than 260 days from the release of Drupal 9. Whether you are moving away from Drupal, planning on updating to Drupal 8, or updating to Drupal 9 in 2020, you need your current Drupal 7 website kept up to date and watched over for security issues in the meantime.

Subscribe to Blog on Drupal 7-8 Support and Maintenance + Drupal 6 Long-Term Support: myDropWizard

We're a Top 40 Drupal Blog!

o