by David Snopek on August 10, 2016 - 11:21am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there are two Moderately Critical security releases for the Google Analytics and Piwik modules to fix a Cross-Site Scripting (XSS) vulnerability.

Users who have permission to configure these modules have the ability to add unrestricted, custom JavaScript to the page, however, it's not commonly known that this permission presents a security risk (and there was previously no way to seperate the ability to configure the modules from the ability to add JavaScript).

The new versions create a new permission for adding JavaScript code, which users will need to have in addition to just the permission necessary to configure the modules.

You can download one the of three patches for Google Analytics for 6.x-2.x, 6.x-3.x and 6.x-4.x.

And you can download this one patch for Piwik.

If you have a Drupal 6 site using the Google Analytics or Piwik modules, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Want to read more articles like this?

myDropWizard.com blog Subscribe to the myDropWizard.com blog and recieve e-mail updates when new articles are published!

Add comment

o