Quanos SIS.one
security instructions

March 2026

Urgent Security Update of the OpenSSL Libraries in the PHP Frameworks

Due to current circumstances, we would like to inform you about a security vulnerability related to OpenSSL. Our developers have classified this security vulnerability CVE-2025-15467 as critical. The PHP versions we support use an affected OpenSSL version.

Our installations from PHP 8.2 and higher are affected. Older versions may also be affected, but are no longer delivered or supported by us.

Under certain circumstances, the security vulnerability can compromise the integrity and security of the application. For this reason, we are providing both an automated update tool—OpenSSL HotfixPatcher —as well as alternative update packages for Windows environments, with which the affected OpenSSL files can be replaced.

Please note:

Which files need to be updated depends on the actually used OpenSSL library version. This is not directly tied to the PHP version and is also independent of the ExportDynamic version in use

Measures for Existing Customers

To ensure that the update is performed with the correct OpenSSL library version, we recommend using our OpenSSL HotfixPatcher tool:

• The tool determines the used OpenSSL library version in a specified path
• It then offers to update the affected files
• A backup of the existing files is automatically created
• After completion, it displays whether the update was successful

Alternatively, the tool can also be used exclusively to determine the currently deployed OpenSSL version. Instructions are included in the package in the form of a PDF file.

Customers who wish to perform the replacement manually can use the provided update package. This package can be used for both Server publications and Offline publications and contains updates for all five affected OpenSSL library versions. Instructions are included in the package in the form of a HowTo.txt.

For Linux environments, Quanos does not deliver PHP/Apache. There, OpenSSL is managed at the system level. Please ensure that in this case your system administrator performs a corresponding update.

We strongly recommend implementing the mentioned measures promptly to continue ensuring secure operation.

Here you can download the packages mentioned above:

Go to the packages
 

If you are unsure which version is in use at your location or need support with the replacement, please open a support ticket via the SIS.one Service Desk or contact your supporting Quanos partner.

October 2024

Updated in July 2025

CATALOGcreator: Important notice due to PHP security vulnerability

Due to recent events, we would like to point out a security vulnerability in PHP, which is classified as critical by our developers.
All installations of ExportDynamic that are installed on web servers (IIS or Apache) are affected. 
 

From ExportDynamic 3.15

PHP has made new security releases available for the current PHP versions that fix this security vulnerability. We have adapted the PHP packages for our software and make them available to you via download on our website, see buttons. Depending on the ExportDynamic version you are using, the PHP packages specified must be replaced:

• from ExportDynamic 3.17 => Download PHP 8.3.23
• ExportDynamic 3.16/3.16.1 => Download PHP 8.2.29
• ExportDynamic 3.15 => Download PHP 8.1.30

ExportDynamic versions 3.14 and older are NOT compatible with the PHP versions mentioned above and cannot be used there!
The ExportDynamic version used is displayed in the online catalog via the "About" link in the footer. 

Update Instructions for Webserver with IIS:

• Copy the previous php.ini into a temp directory for a later file comparison
• Create a backup of the existing PHP folder, e.g. export the folder to a ZIP archive and move it to a backup directory with a unique name
• Stop the website and the application pool in IIS
• Empty the existing PHP folder
• Unzip the new PHP package and paste it into the same folder
• Optional (only if a different directory is now used for PHP): Enter the new php-cgi.exe for FastCGI in the IIS under "Handler Mapping" for *.php
• Use WinMerge to compare the new php.ini with the previous one (which was previously stored in a temp directory)
  • check the parameters and enter all customer-specific settings to the new php.ini (e.g. extension=ldap, activate https per session.cookie_secure = 1, max_execution_time, etc.). )
  • Enter the paths to the \tmp directory, to the extensions and to CACERT (all are usually at the end of the php.ini supplied by Quanos). These path entries are prepared for the default folder D:\CATALOGcreator.
• Alternatively, the php.ini can also be checked and adapted manually with Notepad++.
• Restart the website and AppPool in IIS
• Use a test.php in the public folder with the content 
  • <?php     phpinfo();?> to check whether the new PHP version and the correct php.ini are being used. This test file must be deleted immediately afterwards!
• In case of problems, check the PHP folder for the necessary read permissions of the IIS_IUSRS group

Procedure for ExportDynamic 3.14 and older

Older PHP versions, i.e. PHP 8.0 and older, are classified as End of Life by the manufacturer and therefore no longer receive updates!

This means that no PHP packages are available for ExportDynamic version 3.14 and older. In this case, the entire installation of the Quanos products must be updated in the form of a project update and thus upgraded to a current ExportDynamic. This is a chargeable service. In this case please open a support ticket via the Quanos Service Desk or contact your Quanos Partner.

We support you 

If you are unsure which version you are using or need assistance with a replacement, please open a support ticket via the Quanos Service Desk or contact your Quanos partner.