Fusion security fix

Previous Topic Next Topic
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Fusion security fix

Jackie Ng
A security fix is available for Fusion that plugs up a security hole in XML2JSON.php to prevent XML External Entity injection attacks and should be applied as soon as possible. This fix has been made available for Fusion for MapGuide Open Source 2.2 and newer releases.

To apply this fix, locate the appropriate patch archive for your applicable version of MapGuide Open Source, and extract the XML2JSON.php within that zip file to the common\php directory of your Fusion installation, overwriting the existing XML2JSON.php file.

For example on Windows, if your fusion installation is in C:\Program Files\OSGeo\MapGuide\Web\www\fusion, then extract the zip file into C:\Program Files\OSGeo\MapGuide\Web\www\fusion\common\php and overwrite the existing XML2JSON.php file

For example on Linux, if your fusion installation is in /usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion, then extract the zip file into /usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion/common/php and overwrite the existing XML2JSON.php file

The security fix can be downloaded here:

MapGuide Open Source 2.2:

Size: 1,527
MD5: 2d12f3952b51182ea16b9c55b5461f71

MapGuide Open Source 2.4.x:

Size: 1,527
MD5: 106688324d0bd1950bd8ab327101df31

MapGuide Open Source 2.5.x:

Size: 1,526
MD5: 92350c25032704289cae3f2804d1bea3

This security fix will be rolled into Fusion for the upcoming release of MapGuide Open Source 2.6

Many thanks to Jordan Pynn of Jarvas Data Security (http://jarvas.ca) for discovering and reporting this issue to us.


The MapGuide Open Source Project

mapguide-users mailing list
[hidden email]
Reply | Threaded
Open this post in threaded view

Re: Fusion security fix

Bernhard Maehler
Not dramatic, but after I applied the fix, I get a PHP E_STRICT error referring to line 69:

$document = DOMDocument::loadXML($xml);

This needs to be changed to:

$document = new DOMDocument();

Many thanks for posting this security fix!