Feed aggregator

Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003

Drupal - 29 October, 2014 - 14:39
Description

This Public Service Announcement is a follow up to SA-CORE-2014-005 - Drupal core - SQL injection. This is not an announcement of a new vulnerability in Drupal.

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Simply updating to Drupal 7.32 will not remove backdoors.

If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website. If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.

Data and damage control

Attackers may have copied all data out of your site and could use it maliciously. There may be no trace of the attack.

Take a look at our help documentation, ”Your Drupal site got hacked, now what”

Recovery

Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations. Attackers could compromise other services on the server or escalate their access.

Removing a compromised website’s backdoors is difficult because it is not possible to be certain all backdoors have been found.

The Drupal security team recommends that you consult with your hosting provider. If they did not patch Drupal for you or otherwise block the SQL injection attacks within hours of the announcement of Oct 15th, 4pm UTC, restore your website to a backup from before 15 October 2014:

  1. Take the website offline by replacing it with a static HTML page
  2. Notify the server’s administrator emphasizing that other sites or applications hosted on the same server might have been compromised via a backdoor installed by the initial attack
  3. Consider obtaining a new server, or otherwise remove all the website’s files and database from the server. (Keep a copy safe for later analysis.)
  4. Restore the website (Drupal files, uploaded files and database) from backups from before 15 October 2014
  5. Update or patch the restored Drupal core code
  6. Put the restored and patched/updated website back online
  7. Manually redo any desired changes made to the website since the date of the restored backup
  8. Audit anything merged from the compromised website, such as custom code, configuration, files or other artifacts, to confirm they are correct and have not been tampered with.

While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.

For more information, please see our FAQ on SA-CORE-2014-005.

Written by Coordinated by Contact and More Information

We've prepared a FAQ on this release. Read more at FAQ on SA-CORE-2014-005.

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: Drupal 7.x
Categories: Content Management

Next Steps for the Drupal.org Terms of Service and Privacy Policy

Drupal - 29 October, 2014 - 13:11

Thanks to the hard work of staff and the Drupal.org Content Working Group, we have completed another round of updates to our draft privacy policy and terms of service. We were able to respond to much of the feedback provided in our earlier announcement.

The biggest issues pointed out by the community had to do with the tone of the language in the documents. Many pointed out that it did not match the values of our community. We took a closer look at organizations such as the Wikimedia Foundation and Mozilla, incorporating some of the approaches they took to make our terms a bit more human. We trimmed and shortened what we could. We clarified where things were ambiguous. The end result is much more in line with our community values.

Some examples of changes include the following:

  • When possible, we changed the tone of both documents to make them more friendly.
  • We removed capital letters and used other means to make specific parts of the document noticeable.
  • We deleted a couple of references to collecting data that we do not actually collect.
  • We clarified that we won’t block accounts “for any and no reason”, but only in cases of Terms of Service, Code of Conduct and Git access policy violations.
  • We clarified active notification of users about material changes to policy. We will send an email at least 72 hours prior to changes going into effect. This will give users time to delete their accounts if they don’t want to accept new policies.
  • We added contact info and updated all phone numbers, addresses etc. to be formatted according to international standards.
  • We clarified that you don’t need to create an account to access the Website, just some parts of it.
  • We clarified how to notify us in case of unauthorized access to user account.
  • We clarified how long do we store data after it has been removed from user profile.

We did leave some things from the previous draft without major changes, such as bullet points under section C, for example. And we did it for a reason. One of our goals is to make Drupal.org a place where everyone feels comfortable. Additionally, we have to ensure that Drupal.org is protected if a legal issue does arise. Those bullet points are there not because we want to be able to police or censor the activity on the site. This language exists because it protects Drupal.org if one user takes issue with content from another user. We will still use the process outlined in the Drupal Code of Conduct to resolve any issues whenever we can.

With that in mind, please take a look at the latest drafts:

Terms of Service
Privacy Policy

We will be putting these documents into place on Wednesday, 5 November, 2014. All comments added to this thread will be included in our planning for the next revision. We hope to review the Terms of Service and Privacy Policy quarterly and update them with community feedback.

Thank you for all your help in building these documents.

Categories: Content Management

Keys to a Great Online Buying Experience for Users and Great Revenue for You

CMS Report - 29 October, 2014 - 10:34

eCommerce solution frameworks like Volusion, Bigcommerce, Magento, Shopify and custom sites built with Bespoke are a good way to begin the process of planning for eCommerce. But, no matter which framework or solution you choose, you will need to carefully plan the online store or shopping cart, using comprehensive information about your customers and prospects and their needs and demands.

Categories: Content Management

BYOD vs. COPE: The Fight Over Freedom and Security

CMS Report - 28 October, 2014 - 10:36

One of the biggest trends from just the past few years can easily be summed up through the letters BYOD. Bring Your Own Device policies have been all the rage among companies looking to increase employee productivity while also saving on costs, and it’s a trend that doesn’t appear to be slowing down. According to Gartner, about half of companies will have some sort of BYOD program in place by the year 2017. But all is not sunshine and rainbows for the relatively popular BYOD movement. The issue of security continues to grow as IT departments struggle to keep up with the demands of an ever-evolving landscape of mobile devices and security threats. With this prevalent concern, an alternative strategy has popped up called COPE. Comparing the two reveals both strengths and weaknesses for the competing mobile device methods.

Categories: Content Management

Watch WordCamp San Francisco Livestream

Wordpress - 24 October, 2014 - 20:18

WordCamp San Francisco is the official annual WordPress conference, gathering the community every year since 2006. This is the time when Matt Mullenweg addresses the community in his annual State of the Word presentation – a recap of  the year in WordPress and giving us a glimpse into its future.

This year the speaker lineup is stellar. There will be talks by three of the lead WordPress developers: Andrew Nacin, Helen Hou-Sandí, and Mark Jaquith. We’re also looking forward to speakers like Jenny Lawson, also known as The Bloggess, and Chris Lema. If you’re at all interested in the web, you will appreciate the appearance of Jeff Veen – one of the creators of Google Analytics and co-founder of Typekit.

Even though San Francisco is far far away for most of you, you can still be part of the fun and watch all presentations in real-time via livestream:

Get a livestream ticket and watch all talks from WordCamp San Francisco live

If you hurry, you can get one of the special livestream tickets, including a WordCamp San Francisco 2104 t-shirt. You can find all the technical details and start times at the WordCamp San Francisco website.

Categories: Content Management

Magento: Everything you need to know about product attribute sets

CMS Report - 24 October, 2014 - 14:58

The Magento platform which delivers ecommerce solutions is a great choice for many reasons. One of them is a great bunch of functions and settings one can adjust its online store to. If you are new to Magento, you might come up with a number of questions. One of the most frequent ones is how to use product attribute sets properly.

In this article we will provide a detailed definition of what attribute sets are and how to use them with the maximum efficiency.

Categories: Content Management

Cloud storage – Putting all your eggs in one basket

CMS Report - 24 October, 2014 - 10:42

Cloud storage enables users to store data online. This makes data easily accessible for other users who have been given access to the files. Cloud storage reduces the need for expensive offline data storage devices and if done correctly, can save a lot of time as well as money.

But should you put all your eggs in one basket?

Categories: Content Management

90% of Holiday Shoppers Expect Consistent Brand Experiences According to SDL Survey

CMS Report - 23 October, 2014 - 22:58

Ninety percent of consumers said they expect the customer experience to be consistent across channels and devices used to interact with brands this holiday shopping season, according to a new global study of more than 3,000 consumers by SDL. This is a growing expectation from shoppers, representing a 17 percent increase from what consumers reported last year.

Considering that half of holiday shoppers use their mobile devices to research possible gifts before purchasing them in-store and 6 in 10 holiday shoppers do at least some showrooming – going to stores to evaluate products but then purchasing online – brands should make it a priority that the customer experience is consistent across channels and devices, something many consumers have reported frustrations with.

Categories: Content Management

Learning Light names its top eight performing learning management systems

CMS Report - 23 October, 2014 - 22:22

Learning Light, the UK-based independent e-learning industry market analyst, has produced its own thorough analysis of learning management systems (LMSs) identifying its top performers.

Learning Light Director, David Patterson, said: “We’re aware that other organizations – notably Craig Weiss’ E-Learning 24/7 - publish lists of the top LMSs but our detailed analysis relates specifically to these LMS’s appropriateness for use by corporate training organizations and training departments in the UK. We’ve carried out this research in the light of Business Innovation and Skills (BIS)’s statement that, from September 2014, Individual Learner Records for funded further education courses must show a minimum of ten per cent of individuals’ learning via materials delivered online.

“This is going to increase demand for LMSs in the UK – and, at present, there are some 600 LMSs from which to choose. We’ve based our analysis on the cost of ownership; features and functionalities; development pathway and future-proofing from a training industry perspective.” 

 

Categories: Content Management

What The Future Holds for Web Design and CMS

CMS Report - 23 October, 2014 - 10:40

While SquareSpace and Wordpress battle for the top spot, a new AI website design company could change the way we look at CMS all together.

Categories: Content Management

Drupal.org Maintenance: Oct 23rd 14:00 PDT (21:00 UTC)

Drupal - 22 October, 2014 - 16:58

Drupal.org will be affected by maintenance Thursday, October 23rd 14:00 PDT, 21:00 UTC.

An increase of the MySQL innodb_buffer_pool_size will cause a short downtime for Drupal.org while MySQL is restarted. We plan on a 30 minute window of potential instability, though the actual outage should be 5 minutes or less.

Please follow the @drupal_infra Twitter account for any issues encountered during the maintenance window.

Thanks for your patience!

Categories: Content Management

Confirmit Honoured with Third Consecutive CUSTOMER Magazine TMC Labs Innovation Award

CMS Report - 20 October, 2014 - 10:36

Confirmit, the leading global solutions provider for Customer ExperienceEmployee Engagement and Market Research, announced that TMC, a global, integrated media company, has named Confirmit Horizons Version 18 as a 2014 TMC Labs Innovation Award winner presented by TMC’s CUSTOMER magazine.

Categories: Content Management

How Wearable Tech Can Turn the Internet of Things Into the Internet of You

CMS Report - 17 October, 2014 - 15:03

You’ve probably heard of the Internet of Things (IoT) and how it’s set to completely transform the world. Some may view this as an exaggerated take, but there’s little question that companies across the globe are taking an intense interest in it. The central concept of the IoT features tiny sensors and other machines that are all connected to the internet, allowing them to communicate with people as well as each other. Some experts are predicting that by the year 2020, there could be as many as 20 to 30 million items that are part of the Internet of Things. While there is a lot of hype surrounding the IoT, what’s often lost in the discussion is how the individual will contribute to and be affected by it. In fact, as more focus is placed on people, it’s becoming clear that wearable technology will play a big role in driving the Internet of Things, turning the whole idea into the Internet of You.

Categories: Content Management

TERMINALFOUR Delivers Higher Education Digital Engagement Platform after $2M Investment

CMS Report - 15 October, 2014 - 19:00

This is the culmination of 18 months R&D and evolves the product beyond its web content management roots to a full digital engagement platform for higher education.

* Solution available in two editions: TERMINALFOUR Site Manager 8 and TERMINALFOUR Engage.edu

* 150 new feature enhancements and extensive re-architecture

* 55,000+ development hours into the TERMINALFOUR Digital Engagement Platform; 40% increase in R&D team

Categories: Content Management

Drupal 7.32 released

Drupal - 15 October, 2014 - 12:47

Drupal 7.32, a maintenance release which contain fixes for security vulnerabilities, is now available for download. See the Drupal 7.32 release notes for further information.

Download Drupal 7.32

Upgrading your existing Drupal 7 is strongly recommended. There are no new features or non-security-related bug fixes in this release. For more information about the Drupal 7.x release series, consult the Drupal 7.0 release announcement.

Security information

We have a security announcement mailing list and a history of all security advisories, as well as an RSS feed with the most recent security advisories. We strongly advise Drupal administrators to sign up for the list.

Drupal 7 and 6 include the built-in Update Status module (renamed to Update Manager in Drupal 7), which informs you about important updates to your modules and themes.

Bug reports

Both Drupal 7.x and 6.x are being maintained, so given enough bug fixes (not just bug reports) more maintenance releases will be made available, according to our monthly release cycle.

Changelog

Drupal 7.32 is a security release only. For more details, see the 7.32 release notes. A complete list of all bug fixes in the stable 7.x branch can be found in the git commit log.

Security vulnerabilities

Drupal 7.32 was released in response to the discovery of critical security vulnerabilities. Details can be found in the official security advisory:

To fix the security problem, please upgrade to Drupal 7.32.

Known issues

None.

Front page news: Planet DrupalDrupal version: Drupal 7.x
Categories: Content Management

The Rise of Mobile CRM: Why So Many Companies Are Making the Switch

CMS Report - 14 October, 2014 - 10:41

Businesses of all sizes have adopted mobile CRM for several important reasons, one of the most important being further promoting a mobile workforce. Many employees find themselves away from the office, which would normally lead to being disconnected from accessing important data, particularly for sales representatives.

Categories: Content Management

Moxie Infographic: Men holiday shop via mobile devices

CMS Report - 13 October, 2014 - 17:51

Moxie Software recently unveiled a new mobile chat solution and their press relations folks have been in full gear briefing tech blogs on the benefits of the new software. That's alright because besides the marketing aspects they're also throwing some interesting information our way. A new study commissioned by the Moxie reveals 62% of survey participants expect live chat to be available on mobile devices, and 82% would use it. There are a lot of interesting stats in the study that impact the role live chat may have in the customer experience and surprisingly the numbers reveal chat may have more influence on sales than social media does.

We've received a copy of the study and once I've dissected the numbers better I'll post my thoughts and comments on this blog. Until then, here's one interesting part of the study, of those surveyed more men shop online than women. I'm not sure if this is true for my household, but where my wife is willing to shop online and offline I have to admit I prefer the online shopping experience over brick and mortar.

Categories: Content Management

Openwave Mobility Launches Industry’s First 4K Ultra-HD Video Optimization for Mobile Devices

CMS Report - 13 October, 2014 - 14:26

Openwave Mobility, a software innovator enabling operators to manage and monetize mobile data, is the first company to provide comprehensive optimization for 4K Ultra-HD video on mobile networks. It offers carriers up to five times more data savings compared to previous technologies. Openwave Mobility’s DynaMO, is now capable of optimizing High Efficiency Video Coding (HEVC) to achieve optimum HD video playback on mobile devices. 

Categories: Content Management

How Big Data can Improve Marketing ROI

CMS Report - 10 October, 2014 - 10:41

The implementation of big data has proven to increase a company’s ROI by as much as ten to 20 percent depending on the metrics used. Productivity can also increase by five percent and lead to six percent higher profits than other competitors. Enterprises not using big data in their operations are missing out on the benefits that come from increased data gathering and analytics.

Categories: Content Management

Business Pizza, Bugs, and Fun October 17, 2014

Joomla! - 10 October, 2014 - 08:33

 

You're Invited

Please consider this your personal invitation to join us next week, Friday, the 17th of October, for our Business Pizza, Bugs, and Fun event. It's an all-day global event that's open to all virtual participants that are interested. There will also be local venues wherever they are organized. The key goal is to fix as many Joomla 3 and Joomla 2.5 bugs as possible before the next maintenance releases.

 

Friday October 17th

We've dubbed the event as a Business PBF, since it's on a weekday (Friday) and we'd like to get more businesses involved. Last year's event was a huge success and we'd love it if you join us for this year's. We've created badges that you can use on your sites to spread awareness of the event and get recognition for your participation. For more information, check out our landing page at http://developer.joomla.org/pbf.

Categories: Content Management

Pages