HIGHLY CRITICAL Drupal core security update for SA-CORE-2018-002 (including Drupal 6!)

by David Snopek on March 28, 2018 - 2:25pm

Today, there is a Highly Critical security release for Drupal core to fix a Remote Code Execution (RCE) vulnerability. You can learn more in the security advisory:

Drupal core - Critical - Remote Code Execution - SA-CORE-2018-002

As we noted last week, this issue also affects Drupal 6! So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core.

Drupal 6 core security update

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install security updates for contrib modules (even though they won't necessarily have a release on Drupal.org).

Drupal 6 highly critical security release on March 28th (PSA-2018-001)

by David Snopek on March 22, 2018 - 9:16am

Yesterday, the Drupal Security Team published PSA-2018-001, announcing that there would be a security release for Drupal 7 & 8 on March 28th to fix a highly critical security vulnerability.

The same vulnerability also affects Drupal 6, and so there will also be a Drupal 6 security release shortly after the Drupal 7 & 8 security advisory is published.

We'll be announcing that here, on the myDropWizard blog, as well as in the D6LTS issue queue on Drupal.org.

If you have any Drupal 6, 7 or 8 sites, we highly recommend setting aside some time on March 28th to update all of your sites!

If you're a myDropWizard customer: we'll be sending you the patch or deploying to your site or making a PR (depending on the workflow you have setup with us) as soon as possible once the security advisory is published. As always, we get all security updates out to our customers the same day they're released! This will be no different :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Drupal core security update for SA-CORE-2018-001 (including Drupal 6!)

by David Snopek on February 21, 2018 - 12:37pm

Today, there is a Critical security release for Drupal core to fix multiple vulnerabilities. You can learn more in the security advisory:

Drupal core - Critical - Multiple Vulnerabilities - SA-CORE-2018-001

What makes this release special, is that some of these issues also affect Drupal 6! So, we're also making a Drupal 6 Long-Term Support (D6LTS) release of Drupal core.

Drupal 6 core security update

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

The following vulnerabilities mentioned in the security advisory affect Drupal 6:

  • JavaScript cross-site scripting prevention is incomplete - Critical

  • jQuery vulnerability with untrusted domains - Moderately Critical

  • External link injection on 404 pages when linking to the current page - Less Critical

Here you can download the Drupal 6 patch to fix, or a full release ZIP or TAR.GZ.

If you have a Drupal 6 site, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Are your private Drupal files secure? Check now!

by David Snopek on January 17, 2018 - 10:21am

One of the great things about Drupal, is that it's possible to build a pretty advanced site just by pointing and clicking and configuring things - what we call "site building" in the Drupal universe.

But with all that power, you can also make your Drupal site less secure - and possible to hack! - just by changing configuration settings! We covered other examples of this in a previous article.

Today we're going to talk about one of the most common... and most DANGEROUS: exposing your Drupal private files on the internet.

In this article we're going to discuss how to determine if your private files have been exposed, and also how to fix it.

Read more to find out!

My security resolutions for 2017! #SecurityResolutions

by David Snopek on January 31, 2017 - 11:58am

I'm a member of the Drupal Security Team, and many of the services offered by myDropWizard involve assisting our customers to improve the security of their Drupal sites -- so, I know quite a lot about security and try to be mindful about my own computer use.

However, computer security is an on-going process: it can always be improved and so you're never truly done.

In this article, I'm going to share my personal list of security resolutions for 2017!

Maybe you'll find something you'd like to implement as well?

Or perhaps you'd like to share your own security resolutions for this year?

Please share your thoughts in the comments (or on Twitter)!

Drupal 6 workaround for the highly critical vulnerability in PHPMailer

by David Snopek on December 26, 2016 - 5:45pm

You may have noticed that CVE-2016-10033 came out yesterday, which discloses an Remote Code Execution (RCE) vulnerability in the PHPMailer library which is used by popular contrib modules like SMTP or PHPMailer.

This is a highly critical vulnerability because Remote Code Execution means an attacker can run arbitrary code on your server!

Elysia Cron on Drupal 6? Audit your permissions!

by David Snopek on November 30, 2016 - 2:07pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, a security update for Elysia Cron was released for Drupal 7 per the SA-CONTRIB-2016-062 security advisory.

All the update does is mark the permission to administer Elysia Cron as "dangerous" because it allows users to execute arbitrary PHP code. This is by design, it's an explicity feature of Elysia Cron - if it wasn't intended by the module authors it would have been a Remote Code Execution vulnerability. However, users might not be aware that permission grants the ability to execute PHP, hence the security advisory!

Unfortunately, there isn't a way to mark a permission as dangerous under Drupal 6. There isn't even a way to have seperate machine name and human-readable labels for permissions, so there isn't a straight-forward way to add a user visible message. :-(

So, the Drupal 6 Long-Term Support vendors (us included) have decided to simply announce the problem and ask anyone using the Elysia Cron to audit which users/roles have the "administer elysia_cron" permission and make sure it's OK that they can execute arbitrary PHP code.

We're going to be auditting the permission on our client's sites, so, if you're one of our customers - no need to worry! We'll contact you if we have any concerns.

If you'd like us to handle this and similar issues, as well as have all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Drupal 6 security update for Views Send

by David Snopek on November 9, 2016 - 1:08pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Views Send module to fix a Cross Site Scripting (XSS) vulnerability.

Views Send enables you to send mail to multiple user from a View.

The module doesn't sufficiently filter potential user-supplied data when it's previewing the mail which can lead to a Cross Site Scripting (XSS) vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "mass mailing with views_send".

You can download the patch.

If you have a Drupal 6 site using the Views Send module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Webform

by Elliot Christenson on October 19, 2016 - 12:35pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Less Critical security release for the Webform module to fix an Access Bypass vulnerability.

When using forms with private file uploads, Webform wasn't explicitly denying access to files it managed which could allow access to be granted by other modules.

You can download the patch for Webform 6.x-3.x.

If you have a Drupal 6 site using the Webform, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Drupal 6 security update for Elysia Cron

by Elliot Christenson on October 12, 2016 - 12:18pm

As you may know, Drupal 6 has reached End-of-Life (EOL) which means the Drupal Security Team is no longer doing Security Advisories or working on security patches for Drupal 6 core or contrib modules - but the Drupal 6 LTS vendors are and we're one of them!

Today, there is a Moderately Critical security release for the Elysia Cron module to fix a Cross-Site Scripting (XSS) vulnerability.

Users who have permission to configure this module have the ability to add insufficiently sanitized JavaScript in the "Predefined rules" field, however, this vulnerability is mitigated by the fact that an attacker must have a role with the permission "Administer elysia cron".

You can download the patch for Elysia Cron 6.x-2.x.

If you have a Drupal 6 site using the Elysia Cron module, we recommend you update immediately! We have already deployed the patch for all of our Drupal 6 Long-Term Support clients. :-)

If you'd like all your Drupal 6 modules to receive security updates and have the fixes deployed the same day they're released, please check out our D6LTS plans.

Note: if you use the myDropWizard module (totally free!), you'll be alerted to these and any future security updates, and will be able to use drush to install them (even though they won't necessarily have a release on Drupal.org).

Articles about keeping your Drupal site secure!

o