Fusion security fix available

A security fix is available for Fusion that plugs up a security hole in XML2JSON.php to prevent XML External Entity injection attacks and should be applied as soon as possible. This fix has been made available for Fusion for MapGuide Open Source 2.2 and newer releases.

To apply this fix, locate the appropriate patch archive for your applicable version of MapGuide Open Source, and extract the XML2JSON.php within that zip file to the common\php directory of your Fusion installation, overwriting the existing XML2JSON.php file.

For example on Windows, if your fusion installation is in

C:\Program Files\OSGeo\MapGuide\Web\www\fusion

, then extract the zip file into

C:\Program Files\OSGeo\MapGuide\Web\www\fusion\common\php

and overwrite the existing XML2JSON.php file

For example on Linux, if your fusion installation is in

/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion

, then extract the zip file into

/usr/local/mapguideopensource-x.y.z/webserverextensions/www/fusion/common/php

and overwrite the existing XML2JSON.php file

The security fix can be downloaded here:

MapGuide Open Source 2.2

File: FusionSecurityFix.zip

Size: 1,527

MD5: 2d12f3952b51182ea16b9c55b5461f71

MapGuide Open Source 2.4.x

File: FusionSecurityFix.zip

Size: 1,527

MD5: 106688324d0bd1950bd8ab327101df31

MapGuide Open Source 2.5.x

File: FusionSecurityFix.zip

Size: 1,526

MD5: 92350c25032704289cae3f2804d1bea3

This security fix will be rolled into Fusion for the upcoming release of MapGuide Open Source 2.6

Many thanks to Jordan Pynn of Jarvas Data Security for discovering and reporting this issue to us.