- Advisory ID: DRUPAL-SA-CONTRIB-2012-055
- Project: Fusion (third-party theme)
- Version: 6.x
- Date: 2012-March-28
- Security risk: Moderately critical
- Exploitable from: Remote
- Vulnerability: Cross Site Scripting
Description
CVE: CVE-2012-2083
Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components.
The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.
This vulnerability affects all sub-themes of Fusion.
Versions affected
- Fusion 6.x-1.x versions prior to 6.x-1.13
Drupal core is not affected. If you do not use the contributed Fusion module, there is nothing you need to do.
Solution
If you utilize Fusion or a Fusion-based theme, you should upgrade to Fusion 6.x-1.13.
- Most Fusion sub-themes will inherit this fix.
- If you copied code from Fusion core's template.php file into a custom sub-theme's template.php file you should compare your code to the changes made in this release to ensure the vulnerability has not been duplicated.
InYOURTHEME_preprocess_page()
look for this code:$vars['body_id'] = 'pid-' . strtolower(preg_replace('/[_+\/]/', '-', drupal_get_path_alias($_GET['q'])));
If this code exists within your sub-theme, there are two possible solutions:
- Recommended: Delete the line of code. It is unnecessary in your sub-theme since the sub-theme will inherit this functionality from Fusion Core
- Replace the code with the following:
$vars['body_id'] = 'pid-' . strtolower(fusion_core_clean_css_identifier(drupal_get_path_alias($_GET['q'])));
fusion_core_clean_css_identifier() is a function added in this security release of Fusion. Making this change to your sub-theme's code without updating Fusion core will result in a WSOD.
Also see the Fusion project page.
Reported by
- Jakub Suchy, of the Drupal Security Team
- Justin Emond
- Rick Manelius
- Abhishek Nagar
- Chris Lee
Fixed by
- Jason Yergeau, theme co-maintainer
- Sheena Donnelly, theme co-maintainer
Coordinated by
- Derek Wright of the Drupal Security Team
- Stéphane Corlosquet of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
- David Rothstein of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.