Fusion security fix

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fusion security fix

Jackie Ng
A security fix is available for Fusion that plugs up a security hole in XML2JSON.php to prevent XML External Entity injection attacks and should be applied as soon as possible. This fix has been made available for Fusion for MapGuide Open Source 2.2 and newer releases.

To apply this fix, locate the appropriate patch archive for your applicable version of MapGuide Open Source, and extract the XML2JSON.php within that zip file to the common\php directory of your Fusion installation, overwriting the existing XML2JSON.php file.

For example on Windows, if your fusion installation is in C:\Program Files\OSGeo\MapGuide\Web\www\fusion, then extract the zip file into C:\Program Files\OSGeo\MapGuide\Web\www\fusion\common\php and overwrite the existing XML2JSON.php file

For example on Linux, if your fusion installation is in /usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion, then extract the zip file into /usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion/common/php and overwrite the existing XML2JSON.php file

The security fix can be downloaded here:

MapGuide Open Source 2.2:

Size: 1,527
MD5: 2d12f3952b51182ea16b9c55b5461f71

MapGuide Open Source 2.4.x:

Size: 1,527
MD5: 106688324d0bd1950bd8ab327101df31

MapGuide Open Source 2.5.x:

Size: 1,526
MD5: 92350c25032704289cae3f2804d1bea3

This security fix will be rolled into Fusion for the upcoming release of MapGuide Open Source 2.6

Many thanks to Jordan Pynn of Jarvas Data Security (http://jarvas.ca) for discovering and reporting this issue to us.

Regards,

The MapGuide Open Source Project

_______________________________________________
mapguide-announce mailing list
[hidden email]
http://lists.osgeo.org/mailman/listinfo/mapguide-announce