Highly Critical Security Updates released (per PSA-2016-001)

by David Snopek on July 13, 2016 - 11:03am

You may have noticed a PSA from the security team about some highly critical security updates coming out today.

The security advisories have just been released (for Drupal 7):

They are considered Highly Critical because they are Remote Code Execution (RCE) vulnerabilities, which means that attackers could potentially run aribitrary PHP code on your server, which they could use to add a backdoor to your system, compromise other sites or services, or use your server to attack other servers. These vulnerabilities also are exploitable by anonymous users, or via permissions commonly granted to anonymous users (ie. the ability to fill out a Webform), so there are few mitigating factors.

Luckily, these only affect sites using these modules (Coder, RESTful Web Services or Webform Multiple File Upload), which the security team estimates as being between 1,000 and 10,000 sites.

However, the Coder vulnerability requires special note because it's possible to exploit sites that have the module even if it's disabled or uninstalled - simply having the Coder module present on your server and accessible to the web could make it vulnerable! Since this module is meant for development, we recommend just removing it from production servers.

If you use any of the above mentioned modules on your Drupal 7 site, we recommend updating as soon as possible (or in the case of Coder, removing it).

If you're a myDropWizard customer, we've already made the updates (deployed directly to your site in most cases, or sent to you for testing if you've requested that as part of your workflow).

If you're interested having myDropWizard perform support and maintenance on your site or your clients' sites so that you don't have to worry about this sort of thing, please contact us!

Drupal 6 Is Dead. Long Live Drupal 6!

by Elliot Christenson on June 27, 2016 - 4:08pm

Is Drupal 6 Finally Dead Yet?

The Drupal Community is doing all that we can to move beyond Drupal 6.

We're working hard. We're improving Drupal 8. We're keeping Drupal 7 secure.

You may have heard about the DRUPAL 6 FUNERAL at DrupalCon New Orleans. It's true! There certainly was a fun funeral for Drupal 6 - we even put together a montage of some of the highlights. Of course, we at myDropWizard joked that perhaps we should have dressed as "the ghost of Drupal 6".

Drupal 6 security update for Secure Password Hashes!

by David Snopek on June 22, 2016 - 1:42pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a security release for Secure Password Hashes to fix a security bug.

By default in Drupal 6, all of a user's existing login sessions will be closed and the current session regenerated when a user changes their password. There was a bug in the Secure Password Hashes module that prevented this from happening.

With the help of the D6LTS vendors, a new version was released.

You can also download the patch the patch.

If you have a Drupal 6 site using the Secure Password Hashes module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Views!

by David Snopek on June 15, 2016 - 3:29pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Views to fix an Access Bypass vulnerability.

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

Download the patch for Views 6.x-2.x or 6.x-3.x.

If you have a Drupal 6 site using the Views module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for XML sitemap!

by David Snopek on May 25, 2016 - 11:26am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for XML sitemap to fix a Cross-Site Scripting (XSS) vulnerability.

The module doesn't sufficiently filter the URL when it is displayed in the sitemap.

This vulnerability is mitigated if the setting for "Include a stylesheet in the sitemaps for humans." on the module's administration settings page is not enabled (the default is enabled).

Download the patch for XML Sitemap 6.x-2.x (also works with 6.x-2.1, the latest release), 6.x-1.x or 6.x-1.2.

If you have a Drupal 6 site using the XML sitemap, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

myDropWizard is providing Drupal 6 Long-Term Support for 424 sites!

by David Snopek on May 6, 2016 - 2:16pm

We've been pretty busy in the 11 weeks since Drupal 6's End-of-Life on February 24th.

Really, CRAZY busy, in fact!

We're currently responsible for providing Drupal 6 Long-Term Support for 424 sites in total!

For some of our bigger clients with large numbers of sites on a single code-base or those subject to regulation (for example, governments and universities) we had to compromise on not providing "security updates only" service - but some protection is certainly better than no protection.

Going through the sales process (which includes performing an in-depth site audit), on-boarding process and subsequently supporting and maintaining 424 sites in only 11 weeks has been enormously challenging for a small company like ours - but also an amazing learning experience.

Things are finally slowing a bit with regard to Drupal 6 LTS, we're heading out to DrupalCon New Orleans next week, and starting to look at the next phase for our business.

This feels like a good time to stop and reflect on the things we've learned from our experience with providing Drupal 6 LTS: what worked, what didn't and what we can improve for the future!

This isn't a marketing post (unlike most of our posts recently - sorry!) but a look Behind the Veil at our growing startup, what we do and why we do it. And it's about time! The last one I did was back in June, explaining why we we're launching myDropWizard.

So, if you're still interested in my meandering reflections, please read on!

Connect with myDropWizard at DrupalCon New Orleans!

by David Snopek on May 2, 2016 - 12:04pm

Next week Drupalers from all around the world we be descending on the beautiful city of New Orleans for DrupalCon 2016 - and myDropWizard will be there too!

If you've never been to a DrupalCon - you're missing out. It's an opportunity to meet the Drupal people you know virtually, be surrounded by a dizzying amount of Drupal knowledge, and get inspired and excited for the future of Drupal. Watching the videos is great, but I'd argue that you can learn more by asking someone in the hallway or attending a sprint.

Anyway, there's lots of great articles about why you should attend DrupalCon - I'm not going to attempt to rehash that all here. :-)

But if you're coming, I am going to try and encourage you to connect with myDropWizard while you're at DrupalCon New Orleans!

Both myself (David Snopek) and myDropWizard co-founder, Elliot Christenson, will be there. If you're interested in ...

... then come and find us!

Drupal 6 security update for Views!

by David Snopek on April 20, 2016 - 12:40pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Views to fix an Access Bypass vulnerability.

The Views module provides a flexible method for Drupal site designers to control how lists and tables of content, users, taxonomy terms and other data are presented.

The module doesn't sufficiently check handler access when returning the list of handlers fromview_plugin_display::get_handlers(). The most critical code (access plugins and field output) is unaffected - only area handlers, theget_field_labels()method, token replacement, and some relationship handling are susceptible.

Download the patch for Views 6.x-2.x or Views 6.x-3.x!

If you have a Drupal 6 site using the Views module (probably most sites), we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Why you SHOULDN'T upgrade from Drupal 6!

by David Snopek on April 12, 2016 - 2:00pm

Ever since Drupal 6's End-of-Life on February 24th, there have been countless blogs and articles about why you should upgrade to Drupal 7 or 8 as quickly as possible.

But this may be the only article arguing that you SHOULDN'T upgrade from Drupal 6! ;-)

If you have a complex Drupal 6 site, and you haven't started the upgrade process yet - contrary to conventional wisdom - the best answer may be: keep waiting.

No, this isn't an April Fools joke, and we're not being sarcastic. :-)

Want to know why? Keep reading!

Security Review 1.3 released for Drupal 6!

by David Snopek on March 24, 2016 - 5:03pm

If you're running a Drupal site of any version (6, 7 or 8), I highly recommend installing the Security Review module and following its recommendations!

What many people don't realize, is that even if you've applied every security update that affects your site, it's possible to introduce vulnerabilities (or make it super easy to escalate a minor vulnerability to a highly critical one) by configuring your Drupal site insecurely.

The Security Review module can identify the most common insecure configurations on your site and tell you how to fix them!

However, if you're planning on keeping your Drupal 6 site running after its End-of-Life (EOL), it's doubly important that you install the Security Review module and harden your site's configuration.

And, yesterday, we released Security Review 1.3 for Drupal 6!

This release is basically the same as 6.x-1.x-dev release has been for a year, but we've been using it successfully with our customers for quite awhile. So, we figured it was time to make a proper release. :-)

However, we intend to continue maintaining the Drupal 6 version of the module and hope to fix (or otherwise close) the last 20 open issues and make more releases.

While most other modules are discontinuing maintenance on their Drupal 6 versions because of the EOL, I think this is one module that needs increased maintenance because of it. :-)

Articles aggregated for consumption on Drupal Planet!

o