Fusion security fix

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fusion security fix

Jackie Ng
A security fix is available for Fusion that plugs up a security hole in
XML2JSON.php to prevent XML External Entity injection attacks and should be
applied as soon as possible. This fix has been made available for Fusion
for *MapGuide Open Source 2.2* and newer releases.

To apply this fix, locate the appropriate patch archive for your applicable
version of MapGuide Open Source, and extract the *XML2JSON.php* within that
zip file to the *common\php* directory of your Fusion installation,
overwriting the existing XML2JSON.php file.

For example on Windows, if your fusion installation is in *C:\Program
Files\OSGeo\MapGuide\Web\www\fusion*, then extract the zip file into
*C:\Program
Files\OSGeo\MapGuide\Web\www\fusion\common\php* and overwrite the existing
XML2JSON.php file

For example on Linux, if your fusion installation is in
*/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion*, then
extract the zip file into
*/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion/common/php*
and
overwrite the existing XML2JSON.php file

The security fix can be downloaded here:

MapGuide Open Source 2.2:

Location:
http://download.osgeo.org/mapguide/patches/fusion2.2_security_fix/FusionSecurityFix.zip
Size: 1,527
MD5: 2d12f3952b51182ea16b9c55b5461f71

MapGuide Open Source 2.4.x:

Location:
http://download.osgeo.org/mapguide/patches/fusion2.4_security_fix/FusionSecurityFix.zip
Size: 1,527
MD5: 106688324d0bd1950bd8ab327101df31

MapGuide Open Source 2.5.x:

Location:
http://download.osgeo.org/mapguide/patches/fusion2.5_security_fix/FusionSecurityFix.zip
Size: 1,526
MD5: 92350c25032704289cae3f2804d1bea3

This security fix will be rolled into Fusion for the upcoming release of
MapGuide Open Source 2.6

Many thanks to Jordan Pynn of Jarvas Data Security (http://jarvas.ca) for
discovering and reporting this issue to us.

Regards,

The MapGuide Open Source Project
_______________________________________________
mapguide-internals mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapguide-internals