[mapguide-users] Fusion security fix

Jackie Ng jumpinjackie at gmail.com
Tue Jun 24 21:40:22 PDT 2014

A security fix is available for Fusion that plugs up a security hole in
XML2JSON.php to prevent XML External Entity injection attacks and should be
applied as soon as possible. This fix has been made available for Fusion
for *MapGuide Open Source 2.2* and newer releases.

To apply this fix, locate the appropriate patch archive for your applicable
version of MapGuide Open Source, and extract the *XML2JSON.php* within that
zip file to the *common\php* directory of your Fusion installation,
overwriting the existing XML2JSON.php file.

For example on Windows, if your fusion installation is in *C:\Program
Files\OSGeo\MapGuide\Web\www\fusion*, then extract the zip file into
Files\OSGeo\MapGuide\Web\www\fusion\common\php* and overwrite the existing
XML2JSON.php file

For example on Linux, if your fusion installation is in
*/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion*, then
extract the zip file into
overwrite the existing XML2JSON.php file

The security fix can be downloaded here:

MapGuide Open Source 2.2:

Size: 1,527
MD5: 2d12f3952b51182ea16b9c55b5461f71

MapGuide Open Source 2.4.x:

Size: 1,527
MD5: 106688324d0bd1950bd8ab327101df31

MapGuide Open Source 2.5.x:

Size: 1,526
MD5: 92350c25032704289cae3f2804d1bea3

This security fix will be rolled into Fusion for the upcoming release of
MapGuide Open Source 2.6

Many thanks to Jordan Pynn of Jarvas Data Security (http://jarvas.ca) for
discovering and reporting this issue to us.


The MapGuide Open Source Project
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/mapguide-users/attachments/20140625/958d49af/attachment.html>

More information about the mapguide-users mailing list