Quanos SIS.one
security instructions

October 2024

CATALOGcreator: Important notice due to PHP security vulnerability

Due to recent events, we would like to point out a security vulnerability in PHP, which is classified as critical by our developers.
All installations of ExportDynamic that are installed on web servers (IIS or Apache) are affected. 
 

ExportDynamic 3.15 to 3.17

PHP has made new security releases available for the current PHP versions that fix this security vulnerability. We have adapted the PHP packages for our software and make them available to you via download on our website, see buttons. Depending on the ExportDynamic version you are using, the PHP packages specified must be replaced:

• ExportDynamic 3.17 => Download PHP 8.3.12
• ExportDynamic 3.16/3.16.1 => Download PHP 8.2.24
• ExportDynamic 3.15 => Download PHP 8.1.30

ExportDynamic versions 3.14 and older are NOT compatible with the PHP versions mentioned above and cannot be used there!
The ExportDynamic version used is displayed in the online catalog via the "About" link in the footer. 

Update Instructions for Webserver with IIS:

• Copy the previous php.ini into a temp directory for a later file comparison
• Create a backup of the existing PHP folder, e.g. export the folder to a ZIP archive and move it to a backup directory with a unique name
• Stop the website and the application pool in IIS
• Empty the existing PHP folder
• Unzip the new PHP package and paste it into the same folder
• Optional (only if a different directory is now used for PHP): Enter the new php-cgi.exe for FastCGI in the IIS under "Handler Mapping" for *.php
• Use WinMerge to compare the new php.ini with the previous one (which was previously stored in a temp directory)
  • check the parameters and enter all customer-specific settings to the new php.ini (e.g. extension=ldap, activate https per session.cookie_secure = 1, max_execution_time, etc.). )
  • Enter the paths to the \tmp directory, to the extensions and to CACERT (all are usually at the end of the php.ini supplied by Quanos). These path entries are prepared for the default folder D:\CATALOGcreator.
• Alternatively, the php.ini can also be checked and adapted manually with Notepad++.
• Restart the website and AppPool in IIS
• Use a test.php in the public folder with the content 
  • <?php     phpinfo();?> to check whether the new PHP version and the correct php.ini are being used. This test file must be deleted immediately afterwards!
• In case of problems, check the PHP folder for the necessary read permissions of the IIS_IUSRS group

Procedure for ExportDynamic 3.14 and older

Older PHP versions, i.e. PHP 8.0 and older, are classified as End of Life by the manufacturer and therefore no longer receive updates!

This means that no PHP packages are available for ExportDynamic version 3.14 and older. In this case, the entire installation of the Quanos products must be updated in the form of a project update and thus upgraded to a current ExportDynamic. This is a chargeable service. In this case please open a support ticket via the Quanos Service Desk or contact your Quanos Partner.

We support you 

If you are unsure which version you are using or need assistance with a replacement, please open a support ticket via the Quanos Service Desk or contact your Quanos partner.