Drupal 6 version of 'me aliases' module not affected by SA-CONTRIB-2017-097

by David Snopek on December 20, 2017 - 1:31pm

Today, there was a Highly Critical security advisory for a Remote Code Execution (RCE) vulnerability in the me aliases module for Drupal 7:

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

This module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

It was incorrectly handling URL arguments that could allow an attacker to execute arbitrary PHP code.

However, the way the Drupal 6 version of the module handles URL arguments isn't vulnerable in the same way. So, Drupal 6 users can rest easy - your site isn't affected by this issue.

But if you do use it on Drupal 7, given the criticality of this issue, please update right away!

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 version of netFORUM Authentication not affected by SA-CONTRIB-2017-077

by David Snopek on October 11, 2017 - 1:37pm

Today, there was a Moderately Critical security advisory for an Access Bypass vulnerability in the netFORUM Authentication module for Drupal 7:

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

The module was bypassing protections on the Drupal 7 user login form, to deter brute force attempts to login to the site, and so was an Access Bypass vulnerability by making login less secure when using this module.

However, Drupal 6 (including Pressflow 6) don't have these same protections for the user login form, and so, using this module is no less secure than using vanilla Drupal 6. Of course, these protections could be added to this module, and while this would be great security hardening, this doesn't represent a vulnerability - only a weakness which is also present (and widely known) in Drupal 6 core.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 versions of CAPTCHA and Clientside Validation are not affected by SA-CONTRIB-2017-072 or 073

by David Snopek on September 6, 2017 - 3:24pm

Today, there were two security advisories posted for modules that have Drupal 6 versions:

Happily, neither issue affects the Drupal 6 version of the modules!

I think this is particularly important for the Critical issue in Clientside Validation. Anyone who uses the Drupal 7 version of that module should update immediately! But, this time, Drupal 6 users can rest easy. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 not affected by SA-CORE-2017-003!

by David Snopek on June 21, 2017 - 5:50pm

Today, there were Critical security releases for Drupal 7 & 8:

https://www.drupal.org/SA-CORE-2017-003

We received a couple e-mails asking if it affected Drupal 6, so I decided to post this short article to say:

Happily, Drupal 6 is not affected! :-)

Of the 3 vulnerabilities in that SA, the two Drupal 8 ones don't apply to Drupal 6: it doesn't have REST or YAML support.

We did extensive testing to see if the Drupal 7 one applied to Drupal 6, including, testing the 'upload' module (in Drupal 6 core) and with the contrib 'filefield' and 'webform' modules and couldn't reproduce the vulnerability.

(FYI, since we have access to the private Drupal security queue, we did our testing several months ago :-))

So, if you still use Drupal 6, you don't need to worry about a core update today!


WIEGO: 6 years and 22,000 articles - a Drupal Non-Profit Case Study!

by Elliot Christenson on June 7, 2017 - 3:14pm

As part of our series discussing the use of Drupal in non-profits (click here to subscribe via e-mail), we recently reached out to one of our favorite clients, WIEGO, who candidly shared some of their struggles and successes.

Since re-launching their site on Drupal almost 6 years ago, they've grown from a site with 50 static pages, to a searchable, categorized repository of news and knowledge spanning over 22,000 articles!

In this case study, we gain some insights into how organizations like WIEGO decided on Drupal, have lived with some of the growing-pains, and are planning to move forward into the future!

Read more to find out!

Drupal 6: Are You Out of Time?

by Elliot Christenson on December 6, 2016 - 6:35pm

Do you still operate a Drupal 6 website? Are you getting questions from your management team, technical teams or even board of directors on pending upgrades? Are they afraid of the Drupal 6 "End of Life"? What should you do? What should you tell them? Read more to hear some brief thoughts on the big decision!

5 reasons you should outsource Drupal maintenance and support

by Elliot Christenson on August 29, 2016 - 6:55pm

You run a Drupal Agency - or you're an independent Drupal Developer. Your customers need support. You try to do support. You try to get back to project work. You try to do support. You try to get back to project work. You get the idea. Ad nauseum. That's your life.

What if there were a better way? What if you could spend time doing more profitable things - and spend your spare time like the attached image: on the beach?

We've been there, and we've come up with a handful of key reasons why we feel you should consider outsourcing your Drupal Support and Maintenenance.

Read more to find out!

Survey Results From "Is Drupal Hard?"

by Elliot Christenson on August 23, 2016 - 7:51am

A few weeks ago, we had A Survey! Is Drupal Hard?

First of all, thank you for taking the time to answer (even though we had a short-lived technical snafu!). At myDropWizard, we believe in transparency and openness, so I'm going to share the unfiltered data with you - as well as what my thoughts are in interpreting this non-scientific study.

Drupal 6 Is Dead. Long Live Drupal 6!

by Elliot Christenson on June 27, 2016 - 4:08pm

Is Drupal 6 Finally Dead Yet?

The Drupal Community is doing all that we can to move beyond Drupal 6.

We're working hard. We're improving Drupal 8. We're keeping Drupal 7 secure.

You may have heard about the DRUPAL 6 FUNERAL at DrupalCon New Orleans. It's true! There certainly was a fun funeral for Drupal 6 - we even put together a montage of some of the highlights. Of course, we at myDropWizard joked that perhaps we should have dressed as "the ghost of Drupal 6".

Why you SHOULDN'T upgrade from Drupal 6!

by David Snopek on April 12, 2016 - 2:00pm

Ever since Drupal 6's End-of-Life on February 24th, there have been countless blogs and articles about why you should upgrade to Drupal 7 or 8 as quickly as possible.

But this may be the only article arguing that you SHOULDN'T upgrade from Drupal 6! ;-)

If you have a complex Drupal 6 site, and you haven't started the upgrade process yet - contrary to conventional wisdom - the best answer may be: keep waiting.

No, this isn't an April Fools joke, and we're not being sarcastic. :-)

Want to know why? Keep reading!

o