[fusion-users] Fusion security fix
Jackie Ng
jumpinjackie at gmail.com
Tue Jun 24 21:40:22 PDT 2014
A security fix is available for Fusion that plugs up a security hole in
XML2JSON.php to prevent XML External Entity injection attacks and should be
applied as soon as possible. This fix has been made available for Fusion
for *MapGuide Open Source 2.2* and newer releases.
To apply this fix, locate the appropriate patch archive for your applicable
version of MapGuide Open Source, and extract the *XML2JSON.php* within that
zip file to the *common\php* directory of your Fusion installation,
overwriting the existing XML2JSON.php file.
For example on Windows, if your fusion installation is in *C:\Program
Files\OSGeo\MapGuide\Web\www\fusion*, then extract the zip file into
*C:\Program
Files\OSGeo\MapGuide\Web\www\fusion\common\php* and overwrite the existing
XML2JSON.php file
For example on Linux, if your fusion installation is in
*/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion*, then
extract the zip file into
*/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion/common/php*
and
overwrite the existing XML2JSON.php file
The security fix can be downloaded here:
MapGuide Open Source 2.2:
Location:
http://download.osgeo.org/mapguide/patches/fusion2.2_security_fix/FusionSecurityFix.zip
Size: 1,527
MD5: 2d12f3952b51182ea16b9c55b5461f71
MapGuide Open Source 2.4.x:
Location:
http://download.osgeo.org/mapguide/patches/fusion2.4_security_fix/FusionSecurityFix.zip
Size: 1,527
MD5: 106688324d0bd1950bd8ab327101df31
MapGuide Open Source 2.5.x:
Location:
http://download.osgeo.org/mapguide/patches/fusion2.5_security_fix/FusionSecurityFix.zip
Size: 1,526
MD5: 92350c25032704289cae3f2804d1bea3
This security fix will be rolled into Fusion for the upcoming release of
MapGuide Open Source 2.6
Many thanks to Jordan Pynn of Jarvas Data Security (http://jarvas.ca) for
discovering and reporting this issue to us.
Regards,
The MapGuide Open Source Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/fusion-users/attachments/20140625/958d49af/attachment.html>
More information about the fusion-users
mailing list