<div dir="ltr">A security fix is available for Fusion that plugs up a security hole in XML2JSON.php to prevent XML External Entity injection attacks and should be applied as soon as possible. This fix has been made available for Fusion for <b>MapGuide Open Source 2.2</b> and newer releases.<div>
<br></div><div>To apply this fix, locate the appropriate patch archive for your applicable version of MapGuide Open Source, and extract the <b>XML2JSON.php</b> within that zip file to the <b>common\php</b> directory of your Fusion installation, overwriting the existing XML2JSON.php file.</div>
<div><br></div><div>For example on Windows, if your fusion installation is in <b>C:\Program Files\OSGeo\MapGuide\Web\www\fusion</b>, then extract the zip file into <b>C:\Program Files\OSGeo\MapGuide\Web\www\fusion\common\php</b> and overwrite the existing XML2JSON.php file</div>
<div><br></div><div>For example on Linux, if your fusion installation is in <b>/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion</b>, then extract the zip file into <b>/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion/common/php</b> and overwrite the existing XML2JSON.php file<br>
<div><br></div><div>The security fix can be downloaded here:</div><div><br></div><div>MapGuide Open Source 2.2:</div><div><br></div><div>Location: <a href="http://download.osgeo.org/mapguide/patches/fusion2.2_security_fix/FusionSecurityFix.zip">http://download.osgeo.org/mapguide/patches/fusion2.2_security_fix/FusionSecurityFix.zip</a><br>
</div><div>Size: 1,527</div><div>MD5: 2d12f3952b51182ea16b9c55b5461f71</div><div><br></div><div>MapGuide Open Source 2.4.x:</div><div><br></div><div>Location: <a href="http://download.osgeo.org/mapguide/patches/fusion2.4_security_fix/FusionSecurityFix.zip">http://download.osgeo.org/mapguide/patches/fusion2.4_security_fix/FusionSecurityFix.zip</a><br>
</div><div>Size: 1,527</div><div>MD5: 106688324d0bd1950bd8ab327101df31</div><div><br></div><div>MapGuide Open Source 2.5.x:</div><div><br></div><div>Location: <a href="http://download.osgeo.org/mapguide/patches/fusion2.5_security_fix/FusionSecurityFix.zip">http://download.osgeo.org/mapguide/patches/fusion2.5_security_fix/FusionSecurityFix.zip</a><br>
</div><div>Size: 1,526</div><div>MD5: 92350c25032704289cae3f2804d1bea3</div><div><br></div><div>This security fix will be rolled into Fusion for the upcoming release of MapGuide Open Source 2.6</div><div><br></div><div>Many thanks to Jordan Pynn of Jarvas Data Security (<a href="http://jarvas.ca">http://jarvas.ca</a>) for discovering and reporting this issue to us.</div>
</div><div><br></div><div>Regards,</div><div><br></div><div>The MapGuide Open Source Project</div></div>