exploit the possibilities

Drupal Fusion 6.x Cross Site Scripting

Drupal Fusion 6.x Cross Site Scripting
Posted Mar 29, 2012
Authored by Justin Emond, Rick Manelius, Abhishek Nagar, Jakub Suchy, Chris Lee | Site drupal.org

The Drupal Fusion module version 6.x suffers from a cross site scripting vulnerability.

tags | advisory, xss
MD5 | 675db41d67ee019062147d16786d7f36

Drupal Fusion 6.x Cross Site Scripting

Change Mirror Download
  * Advisory ID: DRUPAL-SA-CONTRIB-2012-055
* Project: Fusion [1] (third-party theme)
* Version: 6.x
* Date: 2012-March-28
* Security risk: Moderately critical [2]
* Exploitable from: Remote
* Vulnerability: Cross Site Scripting

-------- DESCRIPTION
---------------------------------------------------------

Fusion is a base theme that provides a configurable grid system and modular
styling for common Drupal UI components.

The theme outputs a CSS class for the tag based on the current URL, but does
not provide sufficient filtering to prevent a Cross site scripting (XSS)
attack.

This vulnerability affects all sub-themes of Fusion.

-------- VERSIONS AFFECTED
---------------------------------------------------

* Fusion 6.x-1.x versions prior to 6.x-1.13

Drupal core is not affected. If you do not use the contributed Fusion [3]
module, there is nothing you need to do.

-------- SOLUTION
------------------------------------------------------------

If you utilize Fusion or a Fusion-based theme, you should upgrade to Fusion
6.x-1.13 [4].

* Most Fusion sub-themes will inherit this fix.
* If you copied code from Fusion core's template.php file into a custom
sub-theme's template.php file you should compare your code to the changes
made in this release to ensure the vulnerability has not been duplicated.
In YOURTHEME_preprocess_page() look for this code:
$vars['body_id'] = 'pid-' . strtolower(preg_replace('/[_+\/]/', '-',
drupal_get_path_alias($_GET['q'])));

If this code exists within your sub-theme, there are two possible
solutions:

1) *Recommended:* Delete the line of code. It is unnecessary in your
sub-theme since the sub-theme will inherit this functionality from
Fusion Core
2) Replace the code with the following:
$vars['body_id'] = 'pid-' .

strtolower(fusion_core_clean_css_identifier(drupal_get_path_alias($_GET['q'])));

fusion_core_clean_css_identifier() is a function added in this
security release of Fusion. Making this change to your sub-theme's
code without updating Fusion core will result in a WSOD.



Also see the Fusion [5] project page.

-------- REPORTED BY
---------------------------------------------------------

* Jakub Suchy [6], of the Drupal Security Team
* Justin Emond [7]
* Rick Manelius [8]
* Abhishek Nagar [9]
* Chris Lee [10]

-------- FIXED BY
------------------------------------------------------------

* Jason Yergeau [11], theme co-maintainer
* Sheena Donnelly [12], theme co-maintainer

-------- COORDINATED BY
------------------------------------------------------

* Derek Wright [13] of the Drupal Security Team
* St├ęphane Corlosquet [14] of the Drupal Security Team
* Greg Knaddison [15] of the Drupal Security Team
* David Rothstein [16] of the Drupal Security Team

-------- CONTACT AND MORE INFORMATION
----------------------------------------

The Drupal security team can be reached at security at drupal.org or via the
contact form at http://drupal.org/contact [17].

Learn more about the Drupal Security team and their policies [18], writing
secure code for Drupal [19], and securing your site [20].


[1] http://drupal.org/project/fusion
[2] http://drupal.org/security-team/risk-levels
[3] http://drupal.org/project/fusion
[4] http://drupal.org/node/1506600
[5] http://drupal.org/project/fusion
[6] http://drupal.org/user/31977
[7] http://drupal.org/user/186334
[8] http://drupal.org/user/680072
[9] http://drupal.org/user/259737
[10] http://drupal.org/user/1117072
[11] http://drupal.org/user/162308
[12] http://drupal.org/user/380305
[13] http://drupal.org/user/46549
[14] http://drupal.org/user/52142
[15] http://drupal.org/user/36762
[16] http://drupal.org/user/124982
[17] http://drupal.org/contact
[18] http://drupal.org/security-team
[19] http://drupal.org/writing-secure-code
[20] http://drupal.org/security/secure-configuration

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

June 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    1 Files
  • 2
    Jun 2nd
    2 Files
  • 3
    Jun 3rd
    19 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    15 Files
  • 6
    Jun 6th
    12 Files
  • 7
    Jun 7th
    11 Files
  • 8
    Jun 8th
    1 Files
  • 9
    Jun 9th
    1 Files
  • 10
    Jun 10th
    15 Files
  • 11
    Jun 11th
    15 Files
  • 12
    Jun 12th
    15 Files
  • 13
    Jun 13th
    8 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    2 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    18 Files
  • 18
    Jun 18th
    16 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close