On April 25, 2018 a critical vulnerability was discovered in Drupal that allows attackers to remotely run code on web servers. It has already been exploited on some sites (not The Hidden Blade) to run Bitcoin miners. The vulnerability is easily patched on Drupal 7 and 8. The bad news is The Hidden Blade runs on Drupal 6 which is no longer officially supported. Some volunteers backported the patch to Drupal 6 and I have installed it. So I think we're good for now.
Upgrading to another major version would be a pain because of all the customization I've done to the site. Still, this vulnerability has demonstrated that we can't stay on Drupal 6 indefinitely. I will investigate upgrading to Drupal 7 or 8 on a test site with the goal of eventually switching over.
In the meantime our web hosting service is monitoring the site for intrusions. If the patch was insufficient and attackers manage to exploit the site, then they will disable services until I can get it upgraded.
PM incoming!
I will investigate upgrading to Drupal 7 or 8
Status update: Drupal consists of Core and Contributed modules. When a new release of Core comes out, it takes some time for third party developers to update their Contributed modules. I took inventory of the Contributed modules currently in use by The Hidden Blade and checked their status in Drupal 7 and 8.
Drupal 8 is not going to happen. About half of the modules we need either aren't ready yet or will never be ported to Drupal 8 because the developers are no longer actively maintaining them.
That leaves Drupal 7 which kind of sucks because it's next in line to be dropped from official support. There are only four modules on THB that have no obvious migration path:
The one I'm most concerned about is SWF Tools because that's how we embed large videos on the front page. There are probably workarounds or replacement modules for all of the above.
HTML5 playback ought to be supported?
Good call. There's a Drupal module called Video.js which is an HTML5-based video player for Drupal 7 and 8. Another developer provided a Drupal 7 module that configures Video.js to play YouTube hosted videos.
If that doesn't work, you can always try and hack something together with iframes. That's what the embed html on YT vids uses.
In the meantime our web hosting service is monitoring the site for intrusions.
It's that time again - Crisis Time.
I will be installing security updates this month (May, 2022) to bring it back up to code. Downtime will be kept to a minimum. If you find the website down and want a status update, please visit our Discord server.
Updates are complete and our web hosting service has given The Hidden Blade its stamp of approval.
No pressure, but try and get the site certificate when you can too.
Enabling HTTPS made its way to the top of my to-do list for another website I'm building. As promised, I took the opportunity to do the same for The Hidden Blade.
PureNihilist666, please test https://thehiddenblade.com/ and let me know if anything else needs to be done. So far it's working well for me in Chrome but only so-so in Firefox. The latter complains that the images are not secure or something.
[Firefox] complains that the images are not secure or something.
This was an issue with smileys loading from the insecure (http://) URL. It seems to have resolved itself with the gradual flushing of the image cache. Firefox now reports the site is secure.
How does it look to you PureNihilist666?
Enabling HTTPS made its way to the top of my to-do list for another website I'm building. As promised, I took the opportunity to do the same for The Hidden Blade.PureNihilist666, please test https://thehiddenblade.com/ and let me know if anything else needs to be done. So far it's working well for me in Chrome but only so-so in Firefox. The latter complains that the images are not secure or something.
Looks good for me!
My sincere apologies for not replying promptly as I wished to do. School's started again and I've honestly forgot about AC in general for a while; but excuses are going to get me nowhere.
No issues with opening the image in a new tab or opening the image as a link in a new tab. I've tested this in Brave which is Chromium based and the site is upgraded to https from what I can see. Browser says the certificate is valid.
Again, sincere apologies for replying a month later and I thank you for your great work on the upgrades to the site.