Creating a static copy of a Drupal 6 site

by Elliot Christenson on August 15, 2016 - 3:40pm

As you probably already know, Drupal 6 is end-of-lifed. This creates many risks for Drupal 6 site owners to keep their site up! First and foremost: security updates are difficult to find and get. Because the energy of the Drupal community as a whole is focused on Drupal 8, the resources dedicated to keeping Drupal 6 secure are very limited. So, your site is more vulnerable to be hacked.

YouTube videos stop working with Lightbox2? Here's the fix!

by David Snopek on August 15, 2016 - 7:12am

This is similar to our last article about how YouTube videos stopped working with Embedded Video Field on Drupal 6 - except this is for Lightbox2 and affects Drupal 6, 7 and 8.

While we still can't seem to find any announcement from Google, it appears that the old YouTube embed code (which is used by the Lightbox2 module) has stopped working.

Using Lightbox2 to play videos is sort of an edge case, and there wasn't an existing fix for it, so we created a patch on this issue.

We encountered this issue with one of our Drupal 6 Long-Term Support customers, so we created a Drupal 6 patch too!

(We created a Drupal 7 patch, and looking at the code the Drupal 8 version appears to be affected also, but since there is no stable release for it, we didn't test it or create a D8 patch.)

To fix: just apply the 6.x-1.x or 7.x-2.x patch!

YouTube videos stop working on your Drupal 6 site? Here's the fix!

by David Snopek on August 12, 2016 - 4:47pm

If you have a Drupal 6 site that uses Embedded Media Field and the Media: YouTube module to embed the YouTube player on your site, you may have noticed it stopped working in the last couple days.

While we can't seem to find any announcement from Google, it appears that the old YouTube embed code which those modules use has stopped working.

Luckily, it's pretty easy to fix!

Read more to find out how...

Drupal 6 security updates for Google Analytics and Piwik!

by David Snopek on August 10, 2016 - 11:21am

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there are two Moderately Critical security releases for the Google Analytics and Piwik modules to fix a Cross-Site Scripting (XSS) vulnerability.

Users who have permission to configure these modules have the ability to add unrestricted, custom JavaScript to the page, however, it's not commonly known that this permission presents a security risk (and there was previously no way to seperate the ability to configure the modules from the ability to add JavaScript).

The new versions create a new permission for adding JavaScript code, which users will need to have in addition to just the permission necessary to configure the modules.

You can download one the of three patches for Google Analytics for 6.x-2.x, 6.x-3.x and 6.x-4.x.

And you can download this one patch for Piwik.

If you have a Drupal 6 site using the Google Analytics or Piwik modules, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

A Survey! Is Drupal Hard?

by Elliot Christenson on August 1, 2016 - 5:04pm

I attended Drupal Camp WI at the University of Wisconsin-Madison this weekend.

There was a fantastic presentation called "Why Is Drupal So Hard?" by Joe Shindelar at Drupalize.me

It got me thinking about myDropWizard, our clients, and what path people are taking at this current crossroad of Drupal 6 -> Drupal 7 -> Drupal 8 versus going a different path. Sometimes when you are too close to a question, you shouldn't be the one answering it. So, I'd like to ask "you," the world!

I'll share the results in a future blog post, and I'll share my thinking about what the results mean.

If you have any criticisms of the survey, please share those with me! I think this is just the first of a few surveys that we can do.

I hope this is fun, and I know it's not "scientific". However, I am hoping that it continues the discussion within the Drupal Community in regards to what we should do?

Without further ado: Here is the survey!

If you're not selling support and maintenance plans to your clients, YOU'RE DOING IT WRONG!

by David Snopek on July 25, 2016 - 12:02pm

Just finished a big project for client? Awesome!

Did you selling them a support and maintenance plan for their new site?

No? Well, I'm sorry to tell you: YOU'RE DOING IT WRONG!

But you wouldn't be the only one!

The vast majority of Drupal shops and freelancers build sites and move on without offering a support and maintenance plan, figuring if the client has any problems they can just bill them for it at their hourly rate.

However, you're missing out on several advantages - read more to find out what they are!

Highly Critical Security Updates released (per PSA-2016-001)

by David Snopek on July 13, 2016 - 11:03am

You may have noticed a PSA from the security team about some highly critical security updates coming out today.

The security advisories have just been released (for Drupal 7):

They are considered Highly Critical because they are Remote Code Execution (RCE) vulnerabilities, which means that attackers could potentially run aribitrary PHP code on your server, which they could use to add a backdoor to your system, compromise other sites or services, or use your server to attack other servers. These vulnerabilities also are exploitable by anonymous users, or via permissions commonly granted to anonymous users (ie. the ability to fill out a Webform), so there are few mitigating factors.

Luckily, these only affect sites using these modules (Coder, RESTful Web Services or Webform Multiple File Upload), which the security team estimates as being between 1,000 and 10,000 sites.

However, the Coder vulnerability requires special note because it's possible to exploit sites that have the module even if it's disabled or uninstalled - simply having the Coder module present on your server and accessible to the web could make it vulnerable! Since this module is meant for development, we recommend just removing it from production servers.

If you use any of the above mentioned modules on your Drupal 7 site, we recommend updating as soon as possible (or in the case of Coder, removing it).

If you're a myDropWizard customer, we've already made the updates (deployed directly to your site in most cases, or sent to you for testing if you've requested that as part of your workflow).

If you're interested having myDropWizard perform support and maintenance on your site or your clients' sites so that you don't have to worry about this sort of thing, please contact us!

Drupal 6 Is Dead. Long Live Drupal 6!

by Elliot Christenson on June 27, 2016 - 4:08pm

Is Drupal 6 Finally Dead Yet?

The Drupal Community is doing all that we can to move beyond Drupal 6.

We're working hard. We're improving Drupal 8. We're keeping Drupal 7 secure.

You may have heard about the DRUPAL 6 FUNERAL at DrupalCon New Orleans. It's true! There certainly was a fun funeral for Drupal 6 - we even put together a montage of some of the highlights. Of course, we at myDropWizard joked that perhaps we should have dressed as "the ghost of Drupal 6".

Drupal 6 security update for Secure Password Hashes!

by David Snopek on June 22, 2016 - 1:42pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a security release for Secure Password Hashes to fix a security bug.

By default in Drupal 6, all of a user's existing login sessions will be closed and the current session regenerated when a user changes their password. There was a bug in the Secure Password Hashes module that prevented this from happening.

With the help of the D6LTS vendors, a new version was released.

You can also download the patch the patch.

If you have a Drupal 6 site using the Secure Password Hashes module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Views!

by David Snopek on June 15, 2016 - 3:29pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for Views to fix an Access Bypass vulnerability.

An access bypass vulnerability exists in the Views module, where users without the "View content count" permission can see the number of hits collected by the Statistics module for results in the view.

This issue is mitigated by the fact that the view must be configured to show a "Content statistics" field, such as "Total views", "Views today" or "Last visit".

Download the patch for Views 6.x-2.x or 6.x-3.x.

If you have a Drupal 6 site using the Views module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Articles aggregated for consumption on Drupal Planet!

o