Drupal 6 version of 'me aliases' module not affected by SA-CONTRIB-2017-097

by David Snopek on December 20, 2017 - 1:31pm

Today, there was a Highly Critical security advisory for a Remote Code Execution (RCE) vulnerability in the me aliases module for Drupal 7:

me aliases - Highly critical - Arbitrary code execution - SA-CONTRIB-2017-097

This module provides shortcut paths to current user's pages, eg user/me, blog/me, user/me/edit, tracker/me etc.

It was incorrectly handling URL arguments that could allow an attacker to execute arbitrary PHP code.

However, the way the Drupal 6 version of the module handles URL arguments isn't vulnerable in the same way. So, Drupal 6 users can rest easy - your site isn't affected by this issue.

But if you do use it on Drupal 7, given the criticality of this issue, please update right away!

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

CiviCRM secrets for Drupalers: Email Campaigns

by Elliot Christenson on December 13, 2017 - 8:14pm

We're Drupalers who only recently started digging deep into CiviCRM and we're finding some really cool things! This series of videos is meant to share those secrets with other Drupalers, in case they come across a project that could use them. :-)

Most Drupalers at one time have had to deal with either sending e-mail newsletters directly from Drupal, or integrating with a 3rd party tool like Mailchimp or Constant Contact.

CiviCRM has built in e-mail newsletter functionality, and if you add to it the WYSIWYG e-mail builder Mosaico you can build really rich, responsive e-mail campaigns!

Watch the video here:

Some highlights from the video:

  • A sneak peek at Round Earth: our project that bundles Drupal 8 + CiviCRM
  • Drupal 8 + CiviCRM vs. "only" Drupal
  • A quick walk-through on how to quickly and easily create an email campaign
  • Plus, we mention a couple of current "gotchas" that could save you frustration!

Please leave a comment below!

Drupal 6 security update for Mailhandler!

by David Snopek on December 6, 2017 - 2:37pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security release for the Mailhandler module to fix a Remote Code Execution (RCE) vulnerability.

Remote Code Execution vulnerabilities are scary - it basically means that an attacker can run arbitrary code on your site. However, there a number of mitigating factors in this case, so, it's recommended to read the security advisory for Drupal 7.

With the help of the D6LTS vendors, a new version was released for Drupal 6 as well.

You can also download the patch the patch.

If you have a Drupal 6 site using the Mailhandler module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Agencies: Don't keep passwords in your wiki!

by Elliot Christenson on November 15, 2017 - 10:16am

You spend so much time writing secure code, and doing security updates, but you're putting all of that in danger with your wiki. A huge percentage of agencies put passwords into wikis - and other shared resources!!!

Using a shared Google/Office document, spreadsheet - even with black text on a black background - isn't much better! So, think of "wiki" in this context as being any "low-cost, low-security, high-accessibility, super-convenient storage."

You are putting your agency AND your customers at risk by keeping passwords in your company wiki!

Read more to find out why, and a better way to do it!

Using lots of different tools? Do it all in Drupal instead!

by Elliot Christenson on November 8, 2017 - 11:43pm

You need a website. You need to send an e-mail newsletter. You need to track (potential) volunteers, donors, or customers. You could use Drupal, Mailchimp and HubSpot. Or you could do it all in Drupal.

We've been using the tools above in our own organization, and we continue to use them. Yet, we've been toying with the idea of moving more of our daily usage to a more Drupal based solution. I'll try to outline some of the pros and cons of each approach. I think you'll see for many organizations the Drupal solution could end-up on the winning side of the decision!

Drupal 6 security update for Autologout 6.x-4.x

by Elliot Christenson on November 1, 2017 - 3:16pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Autologout module to fix a Cross Site Scripting (XSS) vulnerability.

This module provides a site administrator the ability to log users out after a specified time of inactivity.

The module does not sufficiently filter user-supplied text that is shown when logging a user out. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer autologout".

See the security advisory for Drupal 7 for more information.

Here you can download the Drupal 6 patch.

NOTE: This only affects the Autologout 6.x-4.x branch -- the 6.x-2.x branch (which we also support) isn't vulnerable.

If you have a Drupal 6 site using the Autologout module, we recommend you update immediately.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

It's OK to build new sites on Drupal 7

by David Snopek on October 17, 2017 - 4:11pm

In about a month, it'll be 2 years since Drupal 8.0.0 was released. Drupal 8 has come a long way since then, especially with Drupal 8.4.0 released two weeks ago, which is the most feature-packed release yet.

Drupal 8 is the future of Drupal. It's awesome.

However, looking at all the blogs and articles and podcasts in the Drupalsphere, we're sending a message that you should only build new sites on Drupal 8.

The common wisdom is that starting a new project on Drupal 7 is dumb idea.

While I'm sure there's lots of people who are OK with that or even think that's the right message...

I strongly believe that we are hurting the Drupal project by sending that message.

Read more to find out why!

Drupal 6 version of netFORUM Authentication not affected by SA-CONTRIB-2017-077

by David Snopek on October 11, 2017 - 1:37pm

Today, there was a Moderately Critical security advisory for an Access Bypass vulnerability in the netFORUM Authentication module for Drupal 7:

netFORUM Authentication - Moderately critical - Access Bypass - SA-CONTRIB-2017-077

The module was bypassing protections on the Drupal 7 user login form, to deter brute force attempts to login to the site, and so was an Access Bypass vulnerability by making login less secure when using this module.

However, Drupal 6 (including Pressflow 6) don't have these same protections for the user login form, and so, using this module is no less secure than using vanilla Drupal 6. Of course, these protections could be added to this module, and while this would be great security hardening, this doesn't represent a vulnerability - only a weakness which is also present (and widely known) in Drupal 6 core.

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Agencies: How to Turn Micro-Tracking Off and Profit-Making On!

by Elliot Christenson on September 20, 2017 - 1:44pm

All businesses have to track their income and expenses. That's the most fundamental axiom of business. We've all learned to think about this in terms of time or "billable hours" After-all, we track our success based on how many billable hours we either get paid or "save".

Is that working for you perfectly?

WTH is "Micro-Tracking" and Why is it Terrible?

I define "micro-tracking" as the "micro-managing of time and resources". We see a few things wrong with "micro-tracking" - specifically for support - but possibly other business expenses.

Do you bill clients by the minute? Even the hour?

It's almost always a terrible idea to watch the clock for support!

Below I'll attempt to outline a few of the downsides...

Drupal 6 versions of CAPTCHA and Clientside Validation are not affected by SA-CONTRIB-2017-072 or 073

by David Snopek on September 6, 2017 - 3:24pm

Today, there were two security advisories posted for modules that have Drupal 6 versions:

Happily, neither issue affects the Drupal 6 version of the modules!

I think this is particularly important for the Critical issue in Clientside Validation. Anyone who uses the Drupal 7 version of that module should update immediately! But, this time, Drupal 6 users can rest easy. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Articles aggregated for consumption on Drupal Planet!

o