June 2016


Gerald Giannone's picture
Gerald Giannone
SHOOTonline21 June 2016

Quality not quantity is most important to SHOOT users, advertisers, and staff. And that's what Drupion delivers and at a fair price. That's why we've been with Drupion for years. From our server transition years ago from Pantheon to last night with an Comodo SSL cert issue. We love the quality support Alex, Patrick, and Andrey (the Drupion support team) consistently deliver. They have our backs!!!

We're publishers without any IT background. So we had to go through a steep learning curve that included trying Acquia, AberdeenCloud, and Pantheon. We've learned a lot and been saved a lot with Drupion. Since discovering Drupion we've never considered another hosting company. If you're like us save yourself a lot of hassles and frustrations you'll end up having if you go for the “easy one-size-fits-all” solutions advertised around the world.

SHOOT is the leading news and information source in the high-end professional Film, TV, Commercial production industry for over a half century. Our site, on a dedicated server, has 50,000 unique visitors a month, over 65,000 nodes, streams video, has 3 sub-sites, complete SSL, and Drupal commerce through Authorize.net and BOA merchant services. We have 2 active WordPress blogs as well.


Expanded support for WordPress and launch of the overhauled mobile-friendly web-site

Today, on June 18, we have launched our new mobile-friendly website and are proudly expanding our support for WordPress-based websites.

For many years number of Drupion clients with their main websites built on Drupal have been hosting their WordPress websites alongside, for example, to run their company blogs. So Drupion has de-facto been supporting WordPress without formally including it as part of its services for a long while.

Views - Less Critical - Access Bypass

* Advisory ID: DRUPAL-SA-CONTRIB-2016-036
* Project: Views [1] (third-party module)
* Version: 7.x
* Date: 2016-June-15
* Security risk: 7/25 ( Less Critical)
AC:Basic/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Access bypass


An access bypass vulnerability exists in the Views module, where users
without the "View content count" permission can see the number of hits
collected by the Statistics module for results in the view.

Page Manager Search - Moderately Critical - Information disclosure

* Advisory ID: DRUPAL-SA-CONTRIB-2016-032
* Project: Page manager search [1] (third-party module)
* Version: 7.x
* Date: 2016-June-08
* Security risk: 10/25 ( Moderately Critical)
AC:Complex/A:None/CI:Some/II:None/E:Theoretical/TD:Uncommon [2]
* Vulnerability: Information Disclosure

This module enables you to make Panels pages (and other pages managed by
CTools' Page Manager submodule) indexible and searchable through the standard
Search module provided in Drupal core.

REST JSON - Multiple Vulnerabilities - Highly Critical

* Advisory ID: DRUPAL-SA-CONTRIB-2016-033
* Project: REST/JSON [1] (third-party module)
* Version: 7.x
* Date: 2016-June-08
* Security risk: 19/25 ( Critical)
AC:None/A:None/CI:Some/II:Some/E:Proof/TD:All [2]
* Vulnerability: Access bypass, Information Disclosure, Multiple

This module enables you to expose content, users and comments via a JSON API.
The module contains multiple vulnerabilities including

Node Embed - Denial of Service - Less critical

* Advisory ID: DRUPAL-SA-CONTRIB-2016-034
* Project: Node Embed (third-party module)
* Version: 7.x
* Date: 2016-June-08
* Security risk: 5/25 ( Less Critical)
* Vulnerability: Denial of Service

This module enables you to embed the contents of one node in the body field
of another.

The module doesn't sufficiently protect against a node being embedded in
itself, or a loop being created of one node being embedded in another which
is then itself embedded in the first node.

Outline Designer - Moderately Critical - Cross Site Scripting (XSS)

* Advisory ID: DRUPAL-SA-CONTRIB-2016-035
* Project: Outline Designer [1] (third-party module)
* Version: 7.x
* Date: 2016-June-08
* Security risk: 14/25 ( Moderately Critical)
AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting

This module enables you to mass administer book outlines and perform common
operations through one interface, improving the usability for the book

Opening hours - Moderately Critical

* Advisory ID: DRUPAL-SA-CONTRIB-2016-031
* Project: Opening hours [1] (third-party module)
* Version: 7.x
* Date: 2016-June-01
* Security risk: 12/25 ( Moderately Critical)
AC:Complex/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All [2]
* Vulnerability: Cross Site Scripting

This module enables you to enter opening hours for locations in a highly
detailed way.

The module doesn't sufficiently escape input data from user input.