Drupal 6 security update for Views Data Export!

by Elliot Christenson on October 5, 2016 - 2:20pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

There is a Moderately Critical security update for the Views Data Export module for an Access Bypass vulnerability.

The Views Data Export module allows you to create Views that can export downloadable files with their data. Access wasn't being checked on the resulting file, which means that theoretically any user having access to the export view and thus knowing the download URL could download any export file.

This is mitigated by the fact that export files are stored in the temporary directory which is periodically emptied out.

Here you can download the patch for 6.x-2.x or 6.x-3.x!

If you have a Drupal 6 site using the Views Data Export module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

If you're still on Drupal 6, you should switch to Pressflow ... ASAP!

by David Snopek on October 3, 2016 - 2:33pm

If you have a site that's still on Drupal 6, you're not alone. As of about a week ago, there's still over 88,000 Drupal 6 sites out there!

While support from the community ended on February 24th, the Drupal 6 Long-Term Support vendors have been hard at work, releasing over 20 security fixes for various contrib so far, including very popular modules like Views and Panels!

While the D6LTS vendors haven't released any security fixes for Drupal 6 core yet - it's only a matter of time!

If you want to be ready for it when they do, we recommend that you update to Pressflow. But that's not the only reason!

Read more to find out why and how!

Drupal 6 security updates for Flag!

by David Snopek on August 31, 2016 - 12:49pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security releases for the Flag module for multiple Access Bypass vulnerabilities.

The module includes a view that lists each user's bookmarked content as a tab on their user profile. The permissions on this view are setup incorrectly, allowing any user who has permission to use the 'bookmarks' flag to see the list of content that any user has bookmarked.

See the security advisory for Drupal 7 for more information.

Here you can download the patch for 6.x-1.x or 6.x-2.x!

If you have a Drupal 6 site using the Flag module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security updates for Panels!

by Elliot Christenson on August 17, 2016 - 1:16pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security releases for the Panels modules for multiple Access Bypass vulnerabilities.

The first vulnerability allows anonymous users to use AJAX callbacks to pull content and configuration from Panels, which allow them to access private data. And the second, allows authenticated users with permission to use the Panels IPE to modify the Panels display for pages that they don't have permission to otherwise edit.

See the security advisory for Drupal 7 for more information.

Here you can download the patch for 6.x-3.x!

If you have a Drupal 6 site using the Panels module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Creating a static copy of a Drupal 6 site

by Elliot Christenson on August 15, 2016 - 3:40pm

As you probably already know, Drupal 6 is end-of-lifed. This creates many risks for Drupal 6 site owners to keep their site up! First and foremost: security updates are difficult to find and get. Because the energy of the Drupal community as a whole is focused on Drupal 8, the resources dedicated to keeping Drupal 6 secure are very limited. So, your site is more vulnerable to be hacked.

YouTube videos stop working with Lightbox2? Here's the fix!

by David Snopek on August 15, 2016 - 7:12am

This is similar to our last article about how YouTube videos stopped working with Embedded Video Field on Drupal 6 - except this is for Lightbox2 and affects Drupal 6, 7 and 8.

While we still can't seem to find any announcement from Google, it appears that the old YouTube embed code (which is used by the Lightbox2 module) has stopped working.

Using Lightbox2 to play videos is sort of an edge case, and there wasn't an existing fix for it, so we created a patch on this issue.

We encountered this issue with one of our Drupal 6 Long-Term Support customers, so we created a Drupal 6 patch too!

(We created a Drupal 7 patch, and looking at the code the Drupal 8 version appears to be affected also, but since there is no stable release for it, we didn't test it or create a D8 patch.)

To fix: just apply the 6.x-1.x or 7.x-2.x patch!

YouTube videos stop working on your Drupal 6 site? Here's the fix!

by David Snopek on August 12, 2016 - 4:47pm

If you have a Drupal 6 site that uses Embedded Media Field and the Media: YouTube module to embed the YouTube player on your site, you may have noticed it stopped working in the last couple days.

While we can't seem to find any announcement from Google, it appears that the old YouTube embed code which those modules use has stopped working.

Luckily, it's pretty easy to fix!

Read more to find out how...

Drupal 6 security updates for Google Analytics and Piwik!

by David Snopek on August 10, 2016 - 11:21am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there are two Moderately Critical security releases for the Google Analytics and Piwik modules to fix a Cross-Site Scripting (XSS) vulnerability.

Users who have permission to configure these modules have the ability to add unrestricted, custom JavaScript to the page, however, it's not commonly known that this permission presents a security risk (and there was previously no way to seperate the ability to configure the modules from the ability to add JavaScript).

The new versions create a new permission for adding JavaScript code, which users will need to have in addition to just the permission necessary to configure the modules.

You can download one the of three patches for Google Analytics for 6.x-2.x, 6.x-3.x and 6.x-4.x.

And you can download this one patch for Piwik.

If you have a Drupal 6 site using the Google Analytics or Piwik modules, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

It's August 2017: You're Still On Drupal 6, and that's OK!

by Elliot Christenson on August 8, 2016 - 4:55pm

No, that's not a typo. No, I'm not typing from the future. This is just a little bit of a look forward.

Since myDropWizard announced that we will be extending our Drupal 6 Long-Term Support into 2018, we fully anticipate having this discussion a year from now. Here’s a top ten list of your options and why it is fine to wait until 2017 to make your upgrade decisions!

Drupal 6 Long-Term Support for ... EVER?!

by David Snopek on July 19, 2016 - 10:18am

When we announced Drupal 6 Long-Term Support (LTS) back in November, we promised support until February 24th, 2017 (one year after official support ended).

What we've been telling people is, "We promise one year of support, but we'll watch how the situation evolves and if it makes sense, we'll announce another year of support before the end of 2016."

The problem is that if you haven't upgraded to Drupal 7 already, it makes the most sense (from the site owner's perspective) to update directly from Drupal 6 to Drupal 8. Unfortunately, Drupal 8 isn't ready for all sites! Drupal 6 LTS allows our customers to safely remain on Drupal 6 until Drupal 8 is ready.

So, the question when deciding if we should extend our Drupal 6 LTS sounds like: "Have our customers (and the Drupal community at large) had enough opportunity to upgrade from Drupal 6 to Drupal 8?"

o