Drupal 6 version of netFORUM Authentication not affected by SA-CONTRIB-2017-077

by David Snopek on October 11, 2017 - 1:37pm

Today, there was a Moderately Critical security advisory for an Access Bypass vulnerability in the netFORUM Authentication module for Drupal 7:

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

The module was bypassing protections on the Drupal 7 user login form, to deter brute force attempts to login to the site, and so was an Access Bypass vulnerability by making login less secure when using this module.

However, Drupal 6 (including Pressflow 6) don't have these same protections for the user login form, and so, using this module is no less secure than using vanilla Drupal 6. Of course, these protections could be added to this module, and while this would be great security hardening, this doesn't represent a vulnerability - only a weakness which is also present (and widely known) in Drupal 6 core.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 versions of CAPTCHA and Clientside Validation are not affected by SA-CONTRIB-2017-072 or 073

by David Snopek on September 6, 2017 - 3:24pm

Today, there were two security advisories posted for modules that have Drupal 6 versions:

Happily, neither issue affects the Drupal 6 version of the modules!

I think this is particularly important for the Critical issue in Clientside Validation. Anyone who uses the Drupal 7 version of that module should update immediately! But, this time, Drupal 6 users can rest easy. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 not affected by SA-CORE-2017-003!

by David Snopek on June 21, 2017 - 5:50pm

Today, there were Critical security releases for Drupal 7 & 8:

https://www.drupal.org/SA-CORE-2017-003

We received a couple e-mails asking if it affected Drupal 6, so I decided to post this short article to say:

Happily, Drupal 6 is not affected! :-)

Of the 3 vulnerabilities in that SA, the two Drupal 8 ones don't apply to Drupal 6: it doesn't have REST or YAML support.

We did extensive testing to see if the Drupal 7 one applied to Drupal 6, including, testing the 'upload' module (in Drupal 6 core) and with the contrib 'filefield' and 'webform' modules and couldn't reproduce the vulnerability.

(FYI, since we have access to the private Drupal security queue, we did our testing several months ago :-))

So, if you still use Drupal 6, you don't need to worry about a core update today!


WIEGO: 6 years and 22,000 articles - a Drupal Non-Profit Case Study!

by Elliot Christenson on June 7, 2017 - 3:14pm

As part of our series discussing the use of Drupal in non-profits (click here to subscribe via e-mail), we recently reached out to one of our favorite clients, WIEGO, who candidly shared some of their struggles and successes.

Since re-launching their site on Drupal almost 6 years ago, they've grown from a site with 50 static pages, to a searchable, categorized repository of news and knowledge spanning over 22,000 articles!

In this case study, we gain some insights into how organizations like WIEGO decided on Drupal, have lived with some of the growing-pains, and are planning to move forward into the future!

Read more to find out!

Drupal 6: Are You Out of Time?

by Elliot Christenson on December 6, 2016 - 6:35pm

Do you still operate a Drupal 6 website? Are you getting questions from your management team, technical teams or even board of directors on pending upgrades? Are they afraid of the Drupal 6 "End of Life"? What should you do? What should you tell them? Read more to hear some brief thoughts on the big decision!

5 reasons you should outsource Drupal maintenance and support

by Elliot Christenson on August 29, 2016 - 6:55pm

You run a Drupal Agency - or you're an independent Drupal Developer. Your customers need support. You try to do support. You try to get back to project work. You try to do support. You try to get back to project work. You get the idea. Ad nauseum. That's your life.

What if there were a better way? What if you could spend time doing more profitable things - and spend your spare time like the attached image: on the beach?

We've been there, and we've come up with a handful of key reasons why we feel you should consider outsourcing your Drupal Support and Maintenenance.

Read more to find out!

Survey Results From "Is Drupal Hard?"

by Elliot Christenson on August 23, 2016 - 7:51am

A few weeks ago, we had A Survey! Is Drupal Hard?

First of all, thank you for taking the time to answer (even though we had a short-lived technical snafu!). At myDropWizard, we believe in transparency and openness, so I'm going to share the unfiltered data with you - as well as what my thoughts are in interpreting this non-scientific study.

Drupal 6 Is Dead. Long Live Drupal 6!

by Elliot Christenson on June 27, 2016 - 4:08pm

Is Drupal 6 Finally Dead Yet?

The Drupal Community is doing all that we can to move beyond Drupal 6.

We're working hard. We're improving Drupal 8. We're keeping Drupal 7 secure.

You may have heard about the DRUPAL 6 FUNERAL at DrupalCon New Orleans. It's true! There certainly was a fun funeral for Drupal 6 - we even put together a montage of some of the highlights. Of course, we at myDropWizard joked that perhaps we should have dressed as "the ghost of Drupal 6".

Why you SHOULDN'T upgrade from Drupal 6!

by David Snopek on April 12, 2016 - 2:00pm

Ever since Drupal 6's End-of-Life on February 24th, there have been countless blogs and articles about why you should upgrade to Drupal 7 or 8 as quickly as possible.

But this may be the only article arguing that you SHOULDN'T upgrade from Drupal 6! ;-)

If you have a complex Drupal 6 site, and you haven't started the upgrade process yet - contrary to conventional wisdom - the best answer may be: keep waiting.

No, this isn't an April Fools joke, and we're not being sarcastic. :-)

Want to know why? Keep reading!

Security Review 1.3 released for Drupal 6!

by David Snopek on March 24, 2016 - 5:03pm

If you're running a Drupal site of any version (6, 7 or 8), I highly recommend installing the Security Review module and following its recommendations!

What many people don't realize, is that even if you've applied every security update that affects your site, it's possible to introduce vulnerabilities (or make it super easy to escalate a minor vulnerability to a highly critical one) by configuring your Drupal site insecurely.

The Security Review module can identify the most common insecure configurations on your site and tell you how to fix them!

However, if you're planning on keeping your Drupal 6 site running after its End-of-Life (EOL), it's doubly important that you install the Security Review module and harden your site's configuration.

And, yesterday, we released Security Review 1.3 for Drupal 6!

This release is basically the same as 6.x-1.x-dev release has been for a year, but we've been using it successfully with our customers for quite awhile. So, we figured it was time to make a proper release. :-)

However, we intend to continue maintaining the Drupal 6 version of the module and hope to fix (or otherwise close) the last 20 open issues and make more releases.

While most other modules are discontinuing maintenance on their Drupal 6 versions because of the EOL, I think this is one module that needs increased maintenance because of it. :-)

o