Drupal 6 security update for Legal

by David Snopek on May 17, 2017 - 9:29am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for an Access Bypass vulnerability the Legal module.

The Legal module displays your Terms & Conditions to users who want to register, and requires that they accept the T&C before their registration is accepted.

It had a bug where a specially crafted URL could allow anyone to login to a user account that hadn't yet accepted the terms and conditions. This is mitigated by the fact that an attacker must have a way to obtain the URL, possibly by snooping on web traffic that isn't protected via HTTPS or a man-in-the-middle attack.

(A note about the timing of this release: per our agreement with the Drupal Security Team, we were unable to release this patch until the same vulnerability was fixed for the Drupal 7 Legal module, or two weeks went by after that module was unsupported, if it appeared it wasn't going to be fixed. The fix for Drupal 7 was released today.)

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Legal module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Webform Multifile

by David Snopek on May 10, 2017 - 12:05pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Webform Multifile module to fix an Access Bypass vulnerability.

This module enables you to upload multiple files at once in a Webform, but it didn't sufficiently check access to file deletion URLs.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to edit all or their own webform submissions.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Webform Multifile module, we recommend you update immediately.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Remember Me

by David Snopek on May 3, 2017 - 3:10pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Remember Me module.

Remember Me adds a "Remember me" checkbox to the login form.

It had a bug where it would override the session cookie lifetime, regardless of whether the user checked "Remember me" or not. This could affect applications that set the session cookie lifetime to a very short value, like banking websites.

(A note about the timing of this release: The Drupal 7 fix was released on April 23rd, however, we don't have any customers who depend on this module. So, it falls outside of the set of modules that we usually release security patches for on the same day they are released. But this is a module we like, so we decided to port the fix! :-))

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Remember Me module, we recommend you update immediately!

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for CCK

by David Snopek on April 18, 2017 - 1:05pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the CCK module to fix an Access Bypass vulnerability.

CCK allows you to add custom fields to any content type.

The Node Reference sub-module had a bug where it could list the node titles of nodes that the user doesn't have access to.

(A note about the timing of this release: per our agreement with the Drupal Security Team, we were unable to release this patch until the same vulnerability was fixed for the Drupal 7 References module, or two weeks went by after that module was unsupported. The fix for References was released today.)

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the CCK module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Services

by David Snopek on March 8, 2017 - 12:41pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Highly Critical security release for the Services module to fix a Remote Code Execution (RCE) vulnerability.

The Services module provides a standardized solution for building API's so that external clients can communicate with Drupal.

The module accepts user submitted data in PHP's serialization format ("Content-Type: application/vnd.php.serialized") which can lead to arbitrary remote code execution.

This vulnerability is mitigated by the fact that an attacker must know your Service Endpoint's path, and your Service Endpoint must have "application/vnd.php.serialized" enabled as a request parser.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

NOTE: there's a pre-existing, unfixed security issue in the Drupal 6 version of Services from 2013 (see SA-CONTRIB-2013-051 - Services - Cross site request forgery (CSRF)), so using Services in Drupal 6 isn't recommended in general, however, that issue is much less critical than the one announced today.

If you have a Drupal 6 site using the Services module, we recommend you update immediately, or disable the Services module entirely.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Views

by Elliot Christenson on February 22, 2017 - 3:12pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Views module to fix an Access Bypass vulnerability.

The Views module allows site builders to create listings of various data in the Drupal database.

The Views module fails to call db_rewrite_sql() on queries that list Taxonomy Terms, which could cause private data stored on Taxonomy Terms to be leaked to users without permision to view it.

This is mitigated by the fact that a View must exist that lists Taxonomy Terms which contain private data. If all the data on Taxonomy Terms is public or there are no applicable Views, then your site is unaffected.

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

If you have a Drupal 6 site using the Views module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

We're One Year Into Drupal 6 EOL How Long To Go?

by Elliot Christenson on February 14, 2017 - 6:52pm

Originally, we announced Drupal 6 Long-Term Support (LTS) back in November 2015. We promised support until February 24th, 2017 (one year after official support ended).

Then, we extended support until February 24th, 2018. While we aren't quite ready to commit to extending support beyond that, as we encroach upon that original February 2017 deadline, we wanted to make sure that our clients understand that we will keep handling their Drupal 6 sites for (at least) another year.

Drupal Site Audit Security Surprises

by Elliot Christenson on January 10, 2017 - 6:51pm

I thought it would be a good idea to take a look back at some of our site audits. We undergo a gamut of automated and manual reviews of our clients' site file and databases. Because we have such a diverse array of clients, I surprisingly only saw a few strong trends.

Elysia Cron on Drupal 6? Audit your permissions!

by David Snopek on November 30, 2016 - 2:07pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, a security update for Elysia Cron was released for Drupal 7 per the SA-CONTRIB-2016-062 security advisory.

All the update does is mark the permission to administer Elysia Cron as "dangerous" because it allows users to execute arbitrary PHP code. This is by design, it's an explicity feature of Elysia Cron - if it wasn't intended by the module authors it would have been a Remote Code Execution vulnerability. However, users might not be aware that permission grants the ability to execute PHP, hence the security advisory!

Unfortunately, there isn't a way to mark a permission as dangerous under Drupal 6. There isn't even a way to have seperate machine name and human-readable labels for permissions, so there isn't a straight-forward way to add a user visible message. :-(

So, the Drupal 6 Long-Term Support vendors (us included) have decided to simply announce the problem and ask anyone using the Elysia Cron to audit which users/roles have the "administer elysia_cron" permission and make sure it's OK that they can execute arbitrary PHP code.

We're going to be auditting the permission on our client's sites, so, if you're one of our customers - no need to worry! We'll contact you if we have any concerns.

If you'd like us to handle this and similar issues, as well as have all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Drupal 6 is unaffected by SA-CORE-2016-005

by David Snopek on November 17, 2016 - 12:30pm

Yesterday, SA-CORE-2016-005 was published along with Drupal 7.52 and Drupal 8.2.3 to fix the security vulnerabilities described in that security advisory.

We've received a number of e-mails asking us, "When will the Drupal 6 patch for SA-CORE-2016-005 be released?"

Well, the good news is that Drupal 6 is unaffected by the vulnerabilities described in that security vulnerability, so there will be no patch. We just wanted to officially let everyone know, so there was no longer any confusion or worry. :-)

Thanks!