Drupal 6 security update for Webform

by Elliot Christenson on October 19, 2016 - 12:35pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Less Critical security release for the Webform module to fix an Access Bypass vulnerability.

When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules.

You can download the patch for Webform 6.x-3.x.

If you have a Drupal 6 site using the Webform, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Elysia Cron

by Elliot Christenson on October 12, 2016 - 12:18pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Elysia Cron module to fix a Cross-Site Scripting (XSS) vulnerability.

Users who have permission to configure this module have the ability to add insufficiently sanitized JavaScript in the "Predefined rules" field, however, this vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron".

You can download the patch for Elysia Cron 6.x-2.x.

If you have a Drupal 6 site using the Elysia Cron module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Top 5 (In My Opinion) Drupal Blogs for Agencies

by Elliot Christenson on October 10, 2016 - 3:51pm

Drupal is open source sofware. Thousands of contributors help build it, but of similar importance is the marketing and education wing of the Drupal Community. Drupal Twitter accounts, Drupal podcasts, and today's topic: Drupal Blogs.

There are many, many blogs that are of importance to various aspects of Drupaling. My criteria are really just my own non-authoritative views. Please feel free to Tweet me, Facebook me, or throw in your own ideas in the comments below!

If you're still on Drupal 6, you should switch to Pressflow ... ASAP!

by David Snopek on October 3, 2016 - 2:33pm

If you have a site that's still on Drupal 6, you're not alone. As of about a week ago, there's still over 88,000 Drupal 6 sites out there!

While support from the community ended on February 24th, the Drupal 6 Long-Term Support vendors have been hard at work, releasing over 20 security fixes for various contrib so far, including very popular modules like Views and Panels!

While the D6LTS vendors haven't released any security fixes for Drupal 6 core yet - it's only a matter of time!

If you want to be ready for it when they do, we recommend that you update to Pressflow. But that's not the only reason!

Read more to find out why and how!

How to QUICKLY and SAFELY deploy to the live site WITHOUT comprehensive testing!

by David Snopek on September 26, 2016 - 6:41am

On the one hand, you want to deploy changes to the live site QUICKLY (for, say, a Highly Critical security update).

On the other hand, you want make changes SAFELY, ie. you don't want it to break the site.

Testing is good. Automated testing is great.

But what if you simply didn't have the resources to comprehensively test the change (either manually or automatically)?

Maybe the client isn't willing to fund a project to write automated tests. Maybe you don't have the extra time or extra people to do proper QA. Whatever reason, you just couldn't do it.

Is it possible to both quickly AND safely deploy to the live site WITHOUT comprehensive testing?

... besides just crossing your fingures and hoping it doesn't break?

We think there is a way. :-) Read more to found out!

Giving Clients What They Need - Not What They Want

by Elliot Christenson on September 20, 2016 - 7:38am

If you're anything like me, you've spent a few years in the freelance/agency world performing work for clients. If your clients are anything like the ones I've had, they come in with preconceived notions, "wives tales", and many, many things that are just not in their best interest.

I know there is a tendency to say "the customer is always right." I would prefer to say "the customer is entitled to the best product possible."

Part of that product is you - their developer - and your knowledge.

In this post, I'm going to attempt to show you a piece of what I mean when I say "Giving Clients What They Need - Not What They Want".

Higher Ed Drupal: Drupal In Computer Science

by Elliot Christenson on September 6, 2016 - 8:46pm

School has just started for many of your children. It may be starting for you too!

I start tomorrow: as an instructor at the University of Wisconsin-Green Bay. My mind is all full of anxiety as I try to guess the level of knowledge of the large (25 plus a waiting list) class. I'm also excited to bring Drupal into the classroom.

At myDropWizard, we supply support and maintenance for several world-class universities, so I know Drupal is no stranger to the world of "higher-ed". There are also Higher Ed sessions at Drupalcon and most DrupalCamps!

Drupal 6 security updates for Flag!

by David Snopek on August 31, 2016 - 12:49pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security releases for the Flag module for multiple Access Bypass vulnerabilities.

The module includes a view that lists each user's bookmarked content as a tab on their user profile. The permissions on this view are setup incorrectly, allowing any user who has permission to use the 'bookmarks' flag to see the list of content that any user has bookmarked.

See the security advisory for Drupal 7 for more information.

Here you can download the patch for 6.x-1.x or 6.x-2.x!

If you have a Drupal 6 site using the Flag module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Survey Results From "Is Drupal Hard?"

by Elliot Christenson on August 23, 2016 - 7:51am

A few weeks ago, we had A Survey! Is Drupal Hard?

First of all, thank you for taking the time to answer (even though we had a short-lived technical snafu!). At myDropWizard, we believe in transparency and openness, so I'm going to share the unfiltered data with you - as well as what my thoughts are in interpreting this non-scientific study.

Drupal 6 security updates for Panels!

by Elliot Christenson on August 17, 2016 - 1:16pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Critical security releases for the Panels modules for multiple Access Bypass vulnerabilities.

The first vulnerability allows anonymous users to use AJAX callbacks to pull content and configuration from Panels, which allow them to access private data. And the second, allows authenticated users with permission to use the Panels IPE to modify the Panels display for pages that they don't have permission to otherwise edit.

See the security advisory for Drupal 7 for more information.

Here you can download the patch for 6.x-3.x!

If you have a Drupal 6 site using the Panels module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Articles aggregated for consumption on Drupal Planet!

o