A security fix is available for Fusion that plugs up a security hole in XML2JSON.php to prevent XML External Entity injection attacks and should be applied as soon as possible. This fix has been made available for Fusion for *MapGuide Open Source 2.2* and newer releases.
To apply this fix, locate the appropriate patch archive for your applicable version of MapGuide Open Source, and extract the *XML2JSON.php* within that zip file to the *common\php* directory of your Fusion installation, overwriting the existing XML2JSON.php file. For example on Windows, if your fusion installation is in *C:\Program Files\OSGeo\MapGuide\Web\www\fusion*, then extract the zip file into *C:\Program Files\OSGeo\MapGuide\Web\www\fusion\common\php* and overwrite the existing XML2JSON.php file For example on Linux, if your fusion installation is in */usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion*, then extract the zip file into */usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion/common/php* and overwrite the existing XML2JSON.php file The security fix can be downloaded here: MapGuide Open Source 2.2: Location: http://download.osgeo.org/mapguide/patches/fusion2.2_security_fix/FusionSecurityFix.zip Size: 1,527 MD5: 2d12f3952b51182ea16b9c55b5461f71 MapGuide Open Source 2.4.x: Location: http://download.osgeo.org/mapguide/patches/fusion2.4_security_fix/FusionSecurityFix.zip Size: 1,527 MD5: 106688324d0bd1950bd8ab327101df31 MapGuide Open Source 2.5.x: Location: http://download.osgeo.org/mapguide/patches/fusion2.5_security_fix/FusionSecurityFix.zip Size: 1,526 MD5: 92350c25032704289cae3f2804d1bea3 This security fix will be rolled into Fusion for the upcoming release of MapGuide Open Source 2.6 Many thanks to Jordan Pynn of Jarvas Data Security (http://jarvas.ca) for discovering and reporting this issue to us. Regards, The MapGuide Open Source Project
_______________________________________________ mapguide-users mailing list [email protected] http://lists.osgeo.org/mailman/listinfo/mapguide-users
