Carl Livitt has reported some vulnerabilities in SalesLogix, which can be exploited by malicious people to spoof users, cause a DoS (Denial of Service), disclose system and sensitive information, conduct SQL injection, bypass certain security restrictions, and potentially compromise a vulnerable system.

1) A design error in the handling of user sessions can be exploited to bypass the user authentication and log in as an arbitrary user without knowing the password by manipulating user information stored in a cookie.

2) Some input validation errors when processing invalid requests can cause the request handling process to crash in "slxweb.dll" and return an error response disclosing the full path to the script.

3) Input passed to the "id" parameter in "slxweb.dll/view" is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) Some sensitive system information is sent to the client, which can e.g. be exploited to gain knowledge of username and password for the database.

5) The SLX protocol used for communication between clients and servers does not protect against man-in-the-middle attacks. This can be exploited to gain knowledge of sensitive information.

6) The server does not authenticate users when receiving incoming requests to port 1707/tcp. This can be exploited to pass arbitrary SLX commands to the server and disclose sensitive information.

7) An input validation error in "ProcessQueueFile" can be exploited to upload files to arbitrary locations via directory traversal attacks.

The vulnerabilities have been reported in version 6.1. Other versions may also be affected.

Solution
The vulnerabilities have reportedly been fixed by the vendor.
Further details available to Secunia VIM customers

Provided and/or discovered by
Carl Livitt

Changelog
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers