User login

Crisis averted, for now

5 replies [Last post]
stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009

On April 25, 2018 a critical vulnerability was discovered in Drupal that allows attackers to remotely run code on web servers. It has already been exploited on some sites (not The Hidden Blade) to run Bitcoin miners. The vulnerability is easily patched on Drupal 7 and 8. The bad news is The Hidden Blade runs on Drupal 6 which is no longer officially supported. Some volunteers backported the patch to Drupal 6 and I have installed it. So I think we're good for now.

Upgrading to another major version would be a pain because of all the customization I've done to the site. Still, this vulnerability has demonstrated that we can't stay on Drupal 6 indefinitely. I will investigate upgrading to Drupal 7 or 8 on a test site with the goal of eventually switching over.

In the meantime our web hosting service is monitoring the site for intrusions. If the patch was insufficient and attackers manage to exploit the site, then they will disable services until I can get it upgraded.

I reach in my pocket, pull out some dough. Girl acting like she never seen a $10 before.
You can call me Aaron Burr from the way I'm dropping Hamiltons.

Double McStab with Cheese's picture
Double McStab w...
Offline
Citizen
male
San Diego, CA
Joined: 03/29/2012

PM incoming!

"Apollodorus came, Caesar saw, Cleopatra conquered." ― Stacy Schiff, Cleopatra: A Life

stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009
stabguy wrote:
I will investigate upgrading to Drupal 7 or 8

Status update: Drupal consists of Core and Contributed modules. When a new release of Core comes out, it takes some time for third party developers to update their Contributed modules. I took inventory of the Contributed modules currently in use by The Hidden Blade and checked their status in Drupal 7 and 8.

Drupal 8 is not going to happen. About half of the modules we need either aren't ready yet or will never be ported to Drupal 8 because the developers are no longer actively maintaining them.

That leaves Drupal 7 which kind of sucks because it's next in line to be dropped from official support. There are only four modules on THB that have no obvious migration path:

  • Premium: Restricts access to premium content.
  • Smileys: Allows the easy use of graphical smileys (or 'emoticons').
  • SWF Tools: Embed flash content and media players on your pages.
  • User List: Creates several user lists for viewing members of the site.

The one I'm most concerned about is SWF Tools because that's how we embed large videos on the front page. There are probably workarounds or replacement modules for all of the above.

I reach in my pocket, pull out some dough. Girl acting like she never seen a $10 before.
You can call me Aaron Burr from the way I'm dropping Hamiltons.

161803398874989's picture
161803398874989
Offline
Citizen
male
Joined: 12/13/2010

HTML5 playback ought to be supported?

_________________

"Betraying the Assassins is never good for one's health."
"Well, neither is drinking liquor, but I'm drawn to its dangers all the same."

stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009

Good call. There's a Drupal module called Video.js which is an HTML5-based video player for Drupal 7 and 8. Another developer provided a Drupal 7 module that configures Video.js to play YouTube hosted videos.

I reach in my pocket, pull out some dough. Girl acting like she never seen a $10 before.
You can call me Aaron Burr from the way I'm dropping Hamiltons.

161803398874989's picture
161803398874989
Offline
Citizen
male
Joined: 12/13/2010

If that doesn't work, you can always try and hack something together with iframes. That's what the embed html on YT vids uses.

_________________

"Betraying the Assassins is never good for one's health."
"Well, neither is drinking liquor, but I'm drawn to its dangers all the same."