User login

Crisis averted, for now

12 replies [Last post]
stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009

On April 25, 2018 a critical vulnerability was discovered in Drupal that allows attackers to remotely run code on web servers. It has already been exploited on some sites (not The Hidden Blade) to run Bitcoin miners. The vulnerability is easily patched on Drupal 7 and 8. The bad news is The Hidden Blade runs on Drupal 6 which is no longer officially supported. Some volunteers backported the patch to Drupal 6 and I have installed it. So I think we're good for now.

Upgrading to another major version would be a pain because of all the customization I've done to the site. Still, this vulnerability has demonstrated that we can't stay on Drupal 6 indefinitely. I will investigate upgrading to Drupal 7 or 8 on a test site with the goal of eventually switching over.

In the meantime our web hosting service is monitoring the site for intrusions. If the patch was insufficient and attackers manage to exploit the site, then they will disable services until I can get it upgraded.

You won't even feel the blade.

Double McStab with Cheese's picture
Double McStab w...
Offline
Citizen
male
San Diego, CA
Joined: 03/29/2012

PM incoming!

“Force has no place where there is need of skill." Herodotus

stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009
stabguy wrote:
I will investigate upgrading to Drupal 7 or 8

Status update: Drupal consists of Core and Contributed modules. When a new release of Core comes out, it takes some time for third party developers to update their Contributed modules. I took inventory of the Contributed modules currently in use by The Hidden Blade and checked their status in Drupal 7 and 8.

Drupal 8 is not going to happen. About half of the modules we need either aren't ready yet or will never be ported to Drupal 8 because the developers are no longer actively maintaining them.

That leaves Drupal 7 which kind of sucks because it's next in line to be dropped from official support. There are only four modules on THB that have no obvious migration path:

  • Premium: Restricts access to premium content.
  • Smileys: Allows the easy use of graphical smileys (or 'emoticons').
  • SWF Tools: Embed flash content and media players on your pages.
  • User List: Creates several user lists for viewing members of the site.

The one I'm most concerned about is SWF Tools because that's how we embed large videos on the front page. There are probably workarounds or replacement modules for all of the above.

You won't even feel the blade.

161803398874989's picture
161803398874989
Offline
male
Joined: 12/13/2010

HTML5 playback ought to be supported?

_________________

"Betraying the Assassins is never good for one's health."
"Well, neither is drinking liquor, but I'm drawn to its dangers all the same."

stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009

Good call. There's a Drupal module called Video.js which is an HTML5-based video player for Drupal 7 and 8. Another developer provided a Drupal 7 module that configures Video.js to play YouTube hosted videos.

You won't even feel the blade.

161803398874989's picture
161803398874989
Offline
male
Joined: 12/13/2010

If that doesn't work, you can always try and hack something together with iframes. That's what the embed html on YT vids uses.

_________________

"Betraying the Assassins is never good for one's health."
"Well, neither is drinking liquor, but I'm drawn to its dangers all the same."

stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009
stabguy wrote:
In the meantime our web hosting service is monitoring the site for intrusions.

It's that time again - Crisis Time. Trig's nuke

I will be installing security updates this month (May, 2022) to bring it back up to code. Downtime will be kept to a minimum. If you find the website down and want a status update, please visit our Discord server.

You won't even feel the blade.

stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009

Updates are complete and our web hosting service has given The Hidden Blade its stamp of approval.

You won't even feel the blade.

PureNihilist666's picture
PureNihilist666
Offline
Citizen
male
Joined: 06/14/2021

No pressure, but try and get the site certificate when you can too.

"You cannot trust the words of a snake,
which even in death, produces venom."
- Jabal, Rafiq of Acre

stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009

Enabling HTTPS made its way to the top of my to-do list for another website I'm building. As promised, I took the opportunity to do the same for The Hidden Blade.

PureNihilist666, please test https://thehiddenblade.com/ and let me know if anything else needs to be done. So far it's working well for me in Chrome but only so-so in Firefox. The latter complains that the images are not secure or something.

You won't even feel the blade.

stabguy's picture
stabguy
Offline
Administrator
male
Honolulu, HI USA
Joined: 09/15/2009
stabguy wrote:
[Firefox] complains that the images are not secure or something.

This was an issue with smileys loading from the insecure (http://) URL. It seems to have resolved itself with the gradual flushing of the image cache. Firefox now reports the site is secure.

How does it look to you PureNihilist666?

You won't even feel the blade.

161803398874989's picture
161803398874989
Offline
male
Joined: 12/13/2010
stabguy wrote:
Enabling HTTPS made its way to the top of my to-do list for another website I'm building. As promised, I took the opportunity to do the same for The Hidden Blade.

PureNihilist666, please test https://thehiddenblade.com/ and let me know if anything else needs to be done. So far it's working well for me in Chrome but only so-so in Firefox. The latter complains that the images are not secure or something.

Looks good for me!

_________________

"Betraying the Assassins is never good for one's health."
"Well, neither is drinking liquor, but I'm drawn to its dangers all the same."

PureNihilist666's picture
PureNihilist666
Offline
Citizen
male
Joined: 06/14/2021

My sincere apologies for not replying promptly as I wished to do. School's started again and I've honestly forgot about AC in general for a while; but excuses are going to get me nowhere.

No issues with opening the image in a new tab or opening the image as a link in a new tab. I've tested this in Brave which is Chromium based and the site is upgraded to https from what I can see. Browser says the certificate is valid.

Again, sincere apologies for replying a month later and I thank you for your great work on the upgrades to the site.

"You cannot trust the words of a snake,
which even in death, produces venom."
- Jabal, Rafiq of Acre