SA-CONTRIB-2012-055 - Fusion theme - Cross Site Scripting (XSS)

By Drupal Security Team on 28 Mar 2012 at 20:41 UTC

Advisory ID: DRUPAL-SA-CONTRIB-2012-055
Project: Fusion (third-party theme)
Version: 6.x
Date: 2012-March-28
Security risk: Moderately critical
Exploitable from: Remote
Vulnerability: Cross Site Scripting

Description

CVE: CVE-2012-2083

Fusion is a base theme that provides a configurable grid system and modular styling for common Drupal UI components.

The theme outputs a CSS class for the tag based on the current URL, but does not provide sufficient filtering to prevent a Cross site scripting (XSS) attack.

This vulnerability affects all sub-themes of Fusion.

Versions affected

Fusion 6.x-1.x versions prior to 6.x-1.13

Drupal core is not affected. If you do not use the contributed Fusion module, there is nothing you need to do.

Solution

If you utilize Fusion or a Fusion-based theme, you should upgrade to Fusion 6.x-1.13.

Most Fusion sub-themes will inherit this fix.
If you copied code from Fusion core's template.php file into a custom sub-theme's template.php file you should compare your code to the changes made in this release to ensure the vulnerability has not been duplicated.
In YOURTHEME_preprocess_page() look for this code:

$vars['body_id'] = 'pid-' . strtolower(preg_replace('/[_+\/]/', '-', drupal_get_path_alias($_GET['q'])));

If this code exists within your sub-theme, there are two possible solutions:
1. Recommended: Delete the line of code. It is unnecessary in your sub-theme since the sub-theme will inherit this functionality from Fusion Core
2. Replace the code with the following:
  
  $vars['body_id'] = 'pid-' . strtolower(fusion_core_clean_css_identifier(drupal_get_path_alias($_GET['q'])));
  
  fusion_core_clean_css_identifier() is a function added in this security release of Fusion. Making this change to your sub-theme's code without updating Fusion core will result in a WSOD.