Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, I am not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. I bear NO responsibility for content or misuse of this advisory or any derivatives thereof. We have contacted the vendor numerous times to find solutions for the following issues, however, their response has been the typical "none of our other customers have a problem with the current configuration" or "that is how we have always set it up in the past". Background: Eviewer is a web-based application that is designed to offer a browser interface to SalesLogix data. Issues: 1. The following URL will instruct the application DLL to essentially shutdown, restart, and reread the configuration. Our experience has been, each time the command is run, the application CRASHES and requires a reboot to reset. In addition, the "administrative" command requires NO PASSWORD to issue the shutdown command. http://yourserver.com/scripts/slxweb.dll/admin?command=shutdown Secondary Concerns: In addition to the security issues surrounding the non-password protected admin command, here are some additional "requirements" necessary to install the product (see if you can find the security holes): 1. Change the standard "anonymous" user account from the default IUSR_{systemname}, that has guest priviledge, to a newly defined slxwebuser account with administrative priviledge. 2. Create multiple shares on the webserver, including shares to the root webserver document directory and /scripts directory. 3. The slxweb.dll program, which allows admin commands, must be installed in the /scripts directory (you cannot move it to /cgi-bin, etc). 4. Both the installation guide, and tech support "strongly suggest" you install IIS in its default location c:\inetpub\wwwroot. Have a great day.
