There were a lot of viruses on my two sites with this module, and some of the exploits had access to the file system. Over time, we realized that files get to the server through a theme switch request. I analyzed the module code using Deep Seek and formulated this message.

Problem/Motivation

The SwitchTheme module for Drupal 7 contains critical security vulnerabilities:

  1. Cross-Site Scripting (XSS) via unsanitized $_GET['theme'] parameter
  2. Cross-Site Request Forgery (CSRF) as theme switching is performed via GET requests without token validation

These vulnerabilities allow:

  • Malicious JavaScript execution through crafted theme parameters
  • Unauthorized theme switching via CSRF attacks
  • Potential session hijacking and privilege escalation

Steps to reproduce

XSS Proof of Concept:

  1. Visit: http://example.com/?theme=<script>alert(document.cookie)</script>
  2. Observe JavaScript execution if theme parameter is output without sanitization

CSRF Proof of Concept:

  1. Create a page containing: <img src="http://example.com/?theme=garland">
  2. When authenticated admin visits this page, their theme changes automatically

Proposed resolution

  1. XSS Protection:
    • Implement check_plain() or filter_xss() for all theme parameter output
    • Validate theme names against list_themes()
  2. CSRF Protection:
    • Change theme switching to POST-only requests
    • Implement drupal_get_token() validation
    • Add proper permission checks (hook_permission() + user_access())

Remaining tasks

  • Audit all user input handling in the module
  • Implement proper input sanitization
  • Convert GET handlers to POST forms
  • Add CSRF token validation
  • Write tests for security fixes
  • Update documentation

User interface changes

  • Theme switching interface should use a proper form instead of direct links
  • Add error messages for invalid theme selections
  • Add new permission in People » Permissions section

API changes

  • Deprecate public switchtheme_switch() function if it exists
  • Introduce new secure API methods with proper validation:
    function switchtheme_safe_switch($theme_name) {
  // Validate theme exists
  // Check permissions
  // Verify CSRF token
}

Data model changes

No database schema changes required. Session handling modifications needed for:

  • Secure theme preference storage
  • Proper session token validation

Comments

mr.pomelov created an issue.