Skip directly to content

Feed aggregator

SA-CONTRIB-2014-072 - Freelinking, Freelinking Case Tracker - Access bypass

Drupal Contrib Security Announcements - Wed, 07/23/2014 - 17:47
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-072
  • Project: freelinking (third-party module)
  • Project: freelinking case tracker (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-July-23
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The freelinking and freelinking case tracker modules implement a filter for the easier creation of HTML links to other pages in the site or external sites with a wiki style format such as [[pluginname:identifier]].

The module doesn't sufficiently check access to content when displaying links to nodes and users. This makes it possible to see node titles, usernames and potentially other data depending on the site configuration.

This vulnerability is mitigated by the fact that a site must use node access or permissions to prevent some users from viewing some nodes or users.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected

All versions of Freelinking and Freelinking for case tracker

Drupal core is not affected. If you do not use the contributed freelinking or freelinking Case tracker modules, there is nothing you need to do.

Solution

Uninstall the module, it is no longer maintained.

Also see the freelinking and freelinking case tracker project pages.

Reported by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-071 - FileField - Access bypass

Drupal Contrib Security Announcements - Wed, 07/16/2014 - 20:51
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-071
  • Project: FileField (third-party module)
  • Version: 6.x
  • Date: 2014-July-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The FileField module enables you to define and use fields that contain files.

The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • FileField 6.x-3.x versions prior to 6.x-3.13.

Drupal core is not affected. If you do not use the contributed FileField module, there is nothing you need to do.

Solution Reported by Fixed by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.x
Categories: Security posts

SA-CORE-2014-003 - Drupal core - Multiple vulnerabilities

Drupal Core Security Announcements - Wed, 07/16/2014 - 14:48
  • Advisory ID: DRUPAL-SA-CORE-2014-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2014-July-16
  • Security risk: Critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities
Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Denial of service with malicious HTTP Host header (Base system - Drupal 6 and 7 - Critical)

Drupal core's multisite feature dynamically determines which configuration file to use based on the HTTP Host header.

The HTTP Host header validation does not sufficiently check maliciously-crafted header values, thereby exposing a denial of service vulnerability. This vulnerability also affects sites that don't actually use the multisite feature.

Access bypass (File module - Drupal 7 - Critical)

The File module included in Drupal 7 core allows attaching files to pieces of content. The module doesn't sufficiently check permission to view the attached file when attaching a file that was previously uploaded. This could allow attackers to gain access to private files.

This vulnerability is mitigated by the fact that the attacker must have permission to create or edit content with a file field.

Note: The Drupal 6 FileField module is affected by a similar issue (see SA-CONTRIB-2014-071 - FileField - Access bypass) and requires an update to the current security release of Drupal 6 core in order for the fix released there to work correctly. However, Drupal 6 core itself is not directly affected.

Cross-site scripting (Form API option groups - Drupal 6 and 7 - Moderately critical)

A cross-site scripting vulnerability was found due to Drupal's form API failing to sanitize option group labels in select elements. This vulnerability affects Drupal 6 core directly, and likely affects Drupal 7 forms provided by contributed or custom modules.

This vulnerability is mitigated by the fact that it requires the "administer taxonomy" permission to exploit in Drupal 6 core, and there is no known exploit within Drupal 7 core itself.

Cross-site scripting (Ajax system - Drupal 7 - Moderately critical)

A reflected cross-site scripting vulnerability was found in certain forms containing a combination of an Ajax-enabled textfield (for example, an autocomplete field) and a file field.

This vulnerability is mitigated by the fact that an attacker can only trigger the attack in a limited set of circumstances, usually requiring custom or contributed modules.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Drupal core 6.x versions prior to 6.32.
  • Drupal core 7.x versions prior to 7.29.
Solution

Install the latest version:

Also see the Drupal core project page.

Reported by
  • The denial of service vulnerability using malicious HTTP Host headers was reported by Régis Leroy.
  • The access bypass vulnerability in the File module was reported by Ivan Ch.
  • The cross-site scripting vulnerability with Form API option groups was reported by Károly Négyesi.
  • The cross-site scripting vulnerability in the Ajax system was reported by mani22test.
Fixed by
  • The denial of service vulnerability using malicious HTTP Host headers was fixed by Régis Leroy, and by Klaus Purer of the Drupal Security Team.
  • The access bypass vulnerability in the File module was fixed by Nate Haug and Ivan Ch, and by Drupal Security Team members David Rothstein, Heine Deelstra and David Snopek.
  • The cross-site scripting vulnerability with Form API option groups was fixed by Greg Knaddison of the Drupal Security Team.
  • The cross-site scripting vulnerability in the Ajax system was fixed by Neil Drumm of the Drupal Security Team.
Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-070 - Password Policy - Access Bypass

Drupal Contrib Security Announcements - Wed, 07/16/2014 - 13:19
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-070
  • Project: Password Policy (third-party module)
  • Version: 6.x, 7.x
  • Date: 2014-July-16
  • Security risk: Less critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

The Password Policy module enables you to define and enforce password policies with various constraints on allowable user passwords.

Access Bypass (7.x only)

Password Policy has a Password Change Tab submodule which provides a tab for a user to change their password. Password Policy also has a history constraint which disallows a user from changing their password to one of a specified number of their previous passwords.

When the Password Change Tab module and the history constraint are both enabled, password history will not be stored for a user who changes their password using the password tab. This will allow the user to change their password to one of their previous passwords in violation of the history constraint.

This vulnerability is mitigated by the fact that it only exists when both the Password Change Tab module and the history constraint are enabled.

Access Bypass (6.x and 7.x)

Password Policy has a feature that allows an administrator to force one or more users to change their password at their next login. Under certain circumstances, the users may not actually be forced to change their passwords.

Specifically, if between the time the administrator flags a user for a forced password change and the time that user logs in, an update operation is programmatically performed on the user, the user will be no longer be flagged for a forced password change. For instance, executing the Drush command drush user-add-role to add a role to a user who is flagged for a password change would cause that user to no longer be forced to change their password.

This vulnerability is mitigated by the fact that it only affects users for whom an administrator has forced a password change.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Password Policy 6.x-1.x versions prior to 6.x-1.8.
  • Password Policy 7.x-1.x versions prior to 7.x-1.9.

Drupal core is not affected. If you do not use the contributed Password Policy module, there is nothing you need to do.

Solution
  1. Install the latest version:
  2. Force users who may have been affected by the force password change vulnerability to change their passwords.

Also see the Password Policy project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 6.xDrupal 7.x
Categories: Security posts

SA-CONTRIB-2014-069 - Logintoboggan - Access Bypass and Cross Site Scripting (XSS)

Drupal Contrib Security Announcements - Wed, 07/09/2014 - 17:17
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-069
  • Project: LoginToboggan (third-party module)
  • Version: 7.x
  • Date: 2014-July-09
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Access bypass
Description

This module enables you to customise the standard Drupal registration and login processes.

Cross Site Scripting

The module doesn't filter user-supplied information from the URL resulting in a reflected Cross Site Scripting (XSS) vulnerability.

Access Bypass

The module introduces a concept of a "pre-authorized role" which can have different permissions than the normal Drupal core authorized role. Logintoboggan usually removes permissions for a user if those permissions are in the "authorized user" role and not in the "pre-authorized role". The module failed to remove those permissions for users in a pre-authorized state on all "Page Not Found" (i.e. 404) pages.

This vulnerability is mitigated by the fact that a site must use the "pre-authorized role" feature and an attacker would only gain permissions available to authenticated users and would only gain them on 404 pages which do not show private information in a default Drupal installation.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Logintoboggan 7.x-1.x versions prior to 7.x-1.4

Drupal core is not affected. If you do not use the contributed LoginToboggan module, there is nothing you need to do.

Solution

Install the latest version:

Also see the LoginToboggan project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.


Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-068 - Pane - XSS

Drupal Contrib Security Announcements - Wed, 07/02/2014 - 20:09
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-068
  • Project: Pane (third-party module)
  • Version: 7.x
  • Date: 2014-July-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting
Description

This module did not properly sanitize content entered for title. It allowed sufficiently privileged users to add arbitrary HTML which could result in XSS attacks.< /p>

This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks" or ability to edit Panel panes.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Pane 7.x-2.x versions prior to 7.x-2.5.

Drupal core is not affected. If you do not use the contributed Pane module, there is nothing you need to do.

Solution

Install the latest version:

  • If you use the Pane module for Drupal 7.x, upgrade to Pane 7.x-2.5

Also see the Pane project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Categories: Security posts

SA-CONTRIB-2014-067 - Meta Tags Quick - Multiple vulnerabilities

Drupal Contrib Security Announcements - Wed, 07/02/2014 - 13:39
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-067
  • Project: Meta tags quick (third-party module)
  • Version: 7.x
  • Date: 2014-July-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Cross Site Scripting, Open Redirect
Description

Meta tags quick adds meta tags editing to all non-administrative pages of Drupal site.

Redirector abuse in path-based meta tag editing form

When editing a path-based meta tag, module does not check destination parameter of the URL, allowing attacker to pass arbitrary URL to meta tag editing form.

XSS in path-based meta tag editing form

It is possible to inject arbitrary Javascript via the module's Path-based Metatags edit form that executes when a user attempts to delete a Path-based Metatag.

Both vulnerabilities are mitigated by the fact that an attacker must have a role with the permission "Edit path based meta tags".

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Meta tags quick 7.x-2.x versions from and including 7.x-2.1 to 7.x-2.7 (7.x-1.x and 7.x-2.0 are not affected)

Drupal core is not affected. If you do not use the contributed Meta tags quick module, there is nothing you need to do.

Solution

If you use the Meta tags quick 7.x-2.x for Drupal 7, upgrade to Meta tags quick 7.x-2.8

Also see the Meta tags quick project page.

Reported by Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

SA-CONTRIB-2014-066 - Node Access Keys - Access Bypass

Drupal Contrib Security Announcements - Wed, 07/02/2014 - 13:32
  • Advisory ID: DRUPAL-SA-CONTRIB-2014-066
  • Project: Node Access Keys (third-party module)
  • Version: 7.x
  • Date: 2014-July-02
  • Security risk: Moderately critical
  • Exploitable from: Remote
  • Vulnerability: Access bypass
Description

Node Access Keys helps to grant users temporary view permissions to selected content types on a per user role basis.

It was found that unpublished nodes of content types that that did not have an access key were visible to all. Also, If an unpublished node of a content type that was protected by an access key was visited with the access key then access was granted.

CVE identifier(s) issued
  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
  • Node Access Keys 7.x-1.x versions prior to 7.x-1.1.

Drupal core is not affected. If you do not use the contributed Node Access Keys module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Node Access Keys project page.

Reported by
  • This issue was disclosed publicly.
Fixed by Coordinated by Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: Drupal 7.x
Categories: Security posts

Display HIdden section causes erratic behavior.

Drupal Contrib Security Announcements - Sat, 06/28/2014 - 15:19
Project: Insert FieldStatus: ActivePriority: NormalCategory: Bug reportComponent: CodeAssigned: davidwbarratt

Erratic behavior can occur whenever a field (parent or child) is moved from being displayed to be being hidden.

Categories: Security posts

Widgets and Displays support Fieldception

Drupal Contrib Security Announcements - Sat, 06/28/2014 - 15:18
Project: Insert FieldStatus: ActivePriority: NormalCategory: Bug reportComponent: CodeAssigned: davidwbarratt

Fields should only be allowed to be inserted one level deep, or a solution for recursion should be established.

Categories: Security posts

Widget Parent is Lost when saving from field settings.

Drupal Contrib Security Announcements - Sat, 06/28/2014 - 15:17
Project: Insert FieldStatus: ActivePriority: NormalCategory: Bug reportComponent: CodeAssigned: davidwbarratt

Whenever a field is saved from the field settings
http://example.com/admin/structure/types/manage/article/fields/field_image

The field loses it's field parent.

Categories: Security posts

How is the module intended to work?

Drupal Contrib Security Announcements - Sat, 06/28/2014 - 15:16
Project: UUID Node PropertiesVersion: 7.x-1.0-beta1Status: ActivePriority: NormalCategory: Support requestComponent: MiscellaneousAssigned: Unassigned

If used with deployments, should it add dependencies (e.g., from a leaf book page to its parents) automatically?

It currently does not seem to handle such dependencies. If that's the current state of affairs (which is fine, I can take care in own code) it would be nice however to have an explicit hint on the module page.

Thank you very much for the module, it enables using books with deploy!

Categories: Security posts

How is the module intended to work?

Drupal Core Security Announcements - Sat, 06/28/2014 - 15:16
Project: UUID Node PropertiesVersion: 7.x-1.0-beta1Status: ActivePriority: NormalCategory: Support requestComponent: MiscellaneousAssigned: Unassigned

If used with deployments, should it add dependencies (e.g., from a leaf book page to its parents) automatically?

It currently does not seem to handle such dependencies. If that's the current state of affairs (which is fine, I can take care in own code) it would be nice however to have an explicit hint on the module page.

Thank you very much for the module, it enables using books with deploy!

Categories: Security posts

Error when running cron

Drupal Contrib Security Announcements - Sat, 06/28/2014 - 15:15

When I run cron, I get an error message and a link to https://www.drupal.org/SA-CORE-2013-003

Can someone explain me what this means and how to solve the problem?

Drupal version: Drupal 7.x
Categories: Security posts

Error when running cron

Drupal Core Security Announcements - Sat, 06/28/2014 - 15:15

When I run cron, I get an error message and a link to https://www.drupal.org/SA-CORE-2013-003

Can someone explain me what this means and how to solve the problem?

Drupal version: Drupal 7.x
Categories: Security posts

Installing Zend Optimizer Plus Opcache on Linux/windows (Alternative for APC)

Drupal Contrib Security Announcements - Sat, 06/28/2014 - 15:11

Installing in windows

Download Zend Optimizer from following link

http://downloads.php.net/pierre/

You should download the thread safe one if you are using mode_php with Apache 2 (ZendfOptimizerPlus-20130214-5.3-ts-vc9-x86.zip)

Change the following in your php.ini

;Zend OPtimizer
zend_extension = "C:\php-5.3\ext\php_ZendOptimizerPlus.dll"
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1
;opcache.save_comments=0
;opcache.enable_file_override=1
;XDEBUG
zend_extension = "C:\php-5.3\ext\php_xdebug-2.2.5-5.3-vc9.dll"
xdebug.remote_enable=1
xdebug.remote_host=127.0.0.1
xdebug.remote_port=9000
; Port number must match debugger port number in NetBeans IDE Tools > Options > PHP
xdebug.remote_handler=dbgp
xdebug.profiler_enable=1
xdebug.profiler_output_dir="D:\www\tmp"

If you are using Xdebug then always load Zend Optimizer before Xbebug as shown above.

Check the installation with php -v

c:\>php -v
PHP 5.3.28 (cli) (built: Dec 10 2013 22:27:36)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend Optimizer+ v7.0.0, Copyright (c) 1999-2013, by Zend Technologies
    with Xdebug v2.2.5, Copyright (c) 2002-2014, by Derick Rethans

For further optimization please look at https://github.com/zendtech/ZendOptimizerPlus

Installing on Linux

$PHP_DIR/bin/phpize
./configure \
      --with-php-config=$PHP_DIR/bin/php-config
make
make install # this will copy opcache.so into PHP extension directory

Goto to https://github.com/zendtech/ZendOptimizerPlus for more information

Drupal version: Drupal 7.x
Categories: Security posts

Installing Zend Optimizer on Linux/windows

Drupal Core Security Announcements - Sat, 06/28/2014 - 15:11

Installing in windows

Download Zend Optimizer from following link

http://downloads.php.net/pierre/

You should download the thread safe one if you are using mode_php with Apache 2 (ZendfOptimizerPlus-20130214-5.3-ts-vc9-x86.zip)

Change the following in your php.ini

;Zend OPtimizer
zend_extension = "C:\php-5.3\ext\php_ZendOptimizerPlus.dll"
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=4000
opcache.revalidate_freq=60
opcache.fast_shutdown=1
opcache.enable_cli=1
;opcache.save_comments=0
;opcache.enable_file_override=1
;XDEBUG
zend_extension = "C:\php-5.3\ext\php_xdebug-2.2.5-5.3-vc9.dll"
xdebug.remote_enable=1
xdebug.remote_host=127.0.0.1
xdebug.remote_port=9000
; Port number must match debugger port number in NetBeans IDE Tools > Options > PHP
xdebug.remote_handler=dbgp
xdebug.profiler_enable=1
xdebug.profiler_output_dir="D:\www\tmp"

If you are using Xdebug then always load Zend Optimizer before Xbebug as shown above.

Check the installation with php -v

c:\>php -v
PHP 5.3.28 (cli) (built: Dec 10 2013 22:27:36)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2013 Zend Technologies
    with Zend Optimizer+ v7.0.0, Copyright (c) 1999-2013, by Zend Technologies
    with Xdebug v2.2.5, Copyright (c) 2002-2014, by Derick Rethans

For further optimization please look at https://github.com/zendtech/ZendOptimizerPlus

Installing on Linux

$PHP_DIR/bin/phpize
./configure \
      --with-php-config=$PHP_DIR/bin/php-config
make
make install # this will copy opcache.so into PHP extension directory

Goto to https://github.com/zendtech/ZendOptimizerPlus for more information

Drupal version: Drupal 7.x
Categories: Security posts

Setting an affiliate value using rules

Drupal Contrib Security Announcements - Sat, 06/28/2014 - 15:09

I have installed the Affiliate module and am trying to set all of the users as affiliates when they create new accounts as opposed to them having to go into their profile and check the box.

I have tried 2 ways that haven't worked for me i.e. when I do them users still aren't marked as affiliates with out having to go into the profile turn it on and save the account.

Method 1:

function **edited**(&$edit, $account, $category) {
      if($account->is_new){
      $edit['data']['affiliate_optin'] = isset($edit['affiliate_optin']) ? $edit['affiliate_optin'] : 1;
  }
}

Method 2:

I created a rule that executes this custom PHP

affiliate_insert_affiliate([account:uid],1);
affiliate_set_affiliate_status([account:uid],1);
affiliate_optin([account:uid],1);

I am starting to get pretty desperate so any help would be greatly appreciated.

Thanks,

Kris

Drupal version: Drupal 7.x
Categories: Security posts

Setting an affiliate value using rules

Drupal Core Security Announcements - Sat, 06/28/2014 - 15:09

I have installed the Affiliate module and am trying to set all of the users as affiliates when they create new accounts as opposed to them having to go into their profile and check the box.

I have tried 2 ways that haven't worked for me i.e. when I do them users still aren't marked as affiliates with out having to go into the profile turn it on and save the account.

Method 1:

function **edited**(&$edit, $account, $category) {
      if($account->is_new){
      $edit['data']['affiliate_optin'] = isset($edit['affiliate_optin']) ? $edit['affiliate_optin'] : 1;
  }
}

Method 2:

I created a rule that executes this custom PHP

affiliate_insert_affiliate([account:uid],1);
affiliate_set_affiliate_status([account:uid],1);
affiliate_optin([account:uid],1);

I am starting to get pretty desperate so any help would be greatly appreciated.

Thanks,

Kris

Drupal version: Drupal 7.x
Categories: Security posts

How to manage your photos on Flickr.com

Drupal Contrib Security Announcements - Sat, 06/28/2014 - 14:50

To get the most out of the Drupal Flickr module, on your flickr.com account you should:

  1. complete the information associated with your account and your own photos
  2. put your own photos that you want to embed as a slideshow in photosets (aka 'albums' on Flickr)
  3. put the photos from others you want to embed as an album in galleries (not for your own photos, not available as slideshow)
  4. create an invite-only public group if you intend to display photos of a fixed group of flickr members without the need of giving them permissions on your website, e.g. for a sports club website
  5. know how to find appropriate keywords to fill a site quickly with public images related to the content based on taxonomy terms attached to a post.
1. Complete the information associated with your account and your own photos. 2. Put own photos you want to embed as a slideshow in photosets. 3. Put the photos from others you want to embed as an album in galleries. 4. Create an invite-only public group. 5. Find appropriate keywords to fill a site quickly with public images.
Categories: Security posts

Pages