DSD Business Systems DSD Business Systems News
Product News, Tech Tips and the Inside Scoop
December 2004 l www.dsdinc.com l 619-683-9900
Index   MAS 90 / MAS 200 - MAS 500 - Enhancements - CRM - The IT Guys
 

During the Holiday Season more than ever, our thoughts turn gratefully to those who have made our progress possible.  And in this spirit we say, simply but sincerely - Thank you and best wishes for the holiday season and a happy new year from the entire team at DSD Business Systems.

Up Close and Personal

by Doug Deane, President of DSD
Back in the early 70’s, I was a defenseman for the Cornell Mechanical Engineering Department’s ice hockey team. We were terrible, but we had a great time. 30+ years and two knee operations later, I am back on the ice. I screwed up all of my courage, put my pride in my back pocket, and I went ice skating this past weekend for the first time since college. I only fell once, and I was out of control most of the time, but I had a great time rediscovering a sport that I loved in my youth. I am determined to skate regularly from now on.

In the constant struggle to make a profit, and to keep your staff busy, and to maintain cash flow, and to please your boss or shareholders or partners, it’s really easy to get stuck in a rut, doing those same old things that have been successful for you in the past. The problem is that your most formidable competitors aren’t doing that. They are trying new initiatives, creating new campaigns, new systems and new processes, hoping to get a larger share of your business.

We’re quickly approaching the end of 2004, and I believe that it would be a great way to start the new year by doing something that you haven’t done in a long time that has been fun or successful for you in the past, by making a tough decision that is long overdue, by trying something new that you’ve always wanted to, by getting in touch with someone who you haven’t spoken to in a long while, or by helping someone who doesn’t expect it.

I hope that you apply this to your personal life, and of course you can use it to re-energize your business, your staff and your customer relationships. And, if any of this involves your computer system, DSD stands ready to help. Everyone here at DSD wishes you and your extended family a joyous holiday season, and a prosperous New Year. See you on the other side.

Happy Holidays,

Doug Deane
President

New Online Series for Customers: Managing Your Growth!
Spectrum of Sage Software Products for MAS 90 and MAS 200 Customers

In the Managing Your Growth customer online seminar series, Sage Software product and solutions experts will spotlight the new features of MAS 90 and MAS 200 4.0, as well as some of the Best Software add-on solutions currently available. By automating complex processes with new software solutions, companies can eliminate time-consuming steps and improve profitability.

If you're looking for more advanced capabilities, migration to MAS 500 could be just the solution you need to elevate your business to the next level.

Dates and Times
Dec 15 - 9:00-10:30 am PST
Jan 19 - 9:00-10:30 am PST
Feb 16 - 9:00-10:30 am PST
Mar 16 - 9:00-10:30 am PST
Apr 20 - 9:00-10:30 am PST

You can register for this free webinar at: http://bestsoftware.com/managegrowth

CTS Software Survey of Mid-Market Accounting Solutions – Extended to December 15!

CTS Software selection is conducting a survey of the top mid-market accounting solutions, including MAS 90 and MAS 500. To participate in the online survey, please respond by Dec. 15, 2004 and visit:

http://64.71.185.80/Forms/CTS_Survey

 

MAS 90/MAS 200

Upcoming MAS 90 and MAS 200 Classes

Library Master and Security  $425  Jan 10, Feb 14, Mar 14
General Ledger  $425  Jan 11, Feb 15, Mar 15
Accounts Payable  $425  Jan 12, Feb 16. Mar 16
Accounts Receivable  $425  Jan 13, Feb 17, Mar 17
Inventory Management  $425  Jan 17, Feb 21, Mar 21
Sales Order  $425  Jan 18, Feb 22, Mar 22
Purchase Order  $425  Dec 15, Jan 19, Feb 23, Mar 23
FRx Desktop  $425  Dec 16, Mar 24
Crystal Reports (2 days)  $800  Jan 20-21 (2-day class)

You must sign up a week in advance of the scheduled class to reserve your spot! Late registrations are subject to availability and an additional $50 processing fee.

All classes are held from 9am - 5pm, and cost $425 per person unless stated otherwise. Lunch is provided. They are held at the DSD Building in beautiful Mission Valley in San Diego.

To register, call Sandy McCauley at 619-683-9900 or e-mail SandyM@dsdinc.com

MAS 90 and MAS 200 Promotions

For Existing Customers*:

  • 15% off the RMA module
  • 20% off Payroll module and Direct Deposit Extended Solution
  • 15% off Job Cost and Job Cost Extended Solutions
  • Upgrade to FRx Desktop and Get 15% off

*Some restrictions apply.

To order please contact Stephanie Smith at 619-683-9900 or e-mail StephanieS@dsdinc.com  

MAS 90 Tech Tips

Year End Closing Procedures

by Jennifer Phillips

Steps to ensure a successful year-end close. 

  1. System-wide back up of data prior to closing modules.
  2. Check module set up option screens and verify your history retention flags are set correctly prior to processing period and/or year end.
  3. If you are using the Accounts Payable module, you may only retain one current year and one future year of 1099 information.  Check the setting for current 1099 year in AP Setup Options.  If it is not equal to 2004, you must run and CLEAR out the prior year’s 1099’s.  The current 1099 Calendar Year field is automatically incremented when Form 1099 printing takes place and you have answered “Yes” at the “Do you want to Clear 1099 payments.”  If you did not do this, and your 1099’s are a disaster, we do have an enhancement available that can recalculate your 2004 1099 vendor payments.
  4. If you are using the Payroll Module, you must print the W-2’s prior to closing the year.  If you must close the year prior to printing the W-2’s in order to accommodate your payroll schedule, you will need to make a copy of the company with SVDATA (version 3.71 and earlier, or for version 4.0 or greater use the COPY feature in Company Maintenance) and you will print the W-2’s out of the copied company.
  5. Order of closing – when you close your modules, modules that write to other modules should be closed first.  For example, Sales Order can post to I/M, A/R and G/L. So Sales Order needs process period end before I/M, A/R or G/L. General Ledger is always closed last.
  6. After all modules have been closed, run another system-wide back up.  Do not overwrite the data that was backed up in step one – use another tape.
  7. Visit Best’s support site: http://support.bestsoftwareinc.com for complete checklists for closing, helpful hints and frequently asked questions.
Enhancements Products of the Month: 

MRCA California Magnetic Media 

MRCA California DE6 Quarterly Unemployment Magnetic Media allows the generation of magnetic media (diskettes) compliant with the California Quarterly DE6 Wage Information as required by the State of California Employment Development Department

"Beginning with tax year 1995, employers are required to make their report of contributions and wages (section 1088 (a) (1) of the California Unemployment Insurance Code (CUIC) by magnetic media if the employer is required to report W-2 data to the federal government by magnetic media. Currently, the federal government requires employers with 250 or more W-2s to file by magnetic media. The magnetic media filing threshold of 250 or more employees applies only to California employees. Multi-state filers who have less than 250 California employees will not be required to report on magnetic media, however, they are encouraged to do so."

For more information, contact Kim Clark at 619-683-9900 or KimC@dsdinc.com

 

MAS 500

MAS 500 Promotions

Existing Customers*:

  • 15% off Inventory Replenishment or Material Requirements Planning
  • Multicurrency Management is Available at a Reduced Price of $2500
  • 15% off Data Porter
  • Save on MAS 500 Standard 10-User Pack
  • Save on MAS 500 Advanced 10-User and 20-User Packs

*Some restrictions apply.

To order please contact Stephanie Smith at 619-683-9900 or e-mail StephanieS@dsdinc.com  

 

CRM
SalesLogix News

SalesLogix Issues a Security Alert: Multiple Security Risks for SalesLogix v6

SalesLogix has issued the following security alert. The security breaches appear to focus around the web client.

Severity:  Moderate

Date: October 2004

Products Affected:

SalesLogix v6.0 all versions

SalesLogix v6.1 prior to Service Pack 3

SalesLogix v6.2 requires changes to default settings to eliminate all risks (see Prevention)

                                                                                                                                               

DESCRIPTION OF RISK:

Multiple SalesLogix security risks have been discovered that may allow a remote attacker to gain unauthorized access.

IMPACT OF RISK:

An attacker has the potential to create a denial of service condition, execute SQL commands, view sensitive information including user information, or upload arbitrary files.

TECHNICAL DETAILS:

Risk 1: Authentication Bypass

Summary: By setting a cookie value, a user can log on to the SalesLogix Web Client without supplying username and password.

Resolution:  As much information as possible was removed from the cookie. This information remains on the server and a GUID is stored in the cookie to identify the user on future requests. Each GUID is valid only for the session that the user is logged on for and only for the machine that the user is logged on to.

Risk 2: Information Disclosure in HTTP Headers

Summary: By viewing the cookies, a user can see error messages sent by the sixweb.dll. The ‘user’ error message and the ‘log’ message are both visible. The ‘log’ message often contains detailed information to help the administration debug the problem, such as SQL statements etc.

Resolution: ‘Log” error messages are not added to the cookie. Error cookies now expire after a few seconds. Error cookies are used by the mail merge object to get information about failed requests to the server. These cookies will allow the mail merge objects to get the information they need, then they will expire and will no longer be accessible.

Risk 3: Document Store Directory Disclosure

Summary:  The full paths to the “library” and “attachment” directories are written to error messages for the user.

Resolution: The path was removed from the user error message. Only the filename is displayed.

Risk 4: SQL Injection

Summary: SQL injection seems possible in some instances. Example URL: http://www.example.com/scripts/slxweb.dll/view?name=coninfo&id=xyzzy’delete+from+account

Resolution: SQL statements in the DLL are generated as prepared statements so an attempt to insert additional statements causes the entire statement to fail during parsing.

Risk 5: Passwords are revealed in the source code

Summary: A “password” parameter is in the <object> tag for Group Manager.

Resolution: The password is strongly encrypted.

Risk 6: Attachment and Library paths are revealed in source code

Summary: Attachment and Library paths (including machine name and share name) are revealed in the Script that is visible to the user by viewing the source document. This is a minimal risk because if the user can log into SLX web, then they will likely have access to these directories.

Resolution: The <#SYS> tags that return the library path and attachment path now return bad data are ignored by the slxweb.dll. The slxweb.dll uses its own knowledge of these paths to decide where to save and retrieve attachments ant library files rather than using what is passed in from the client.

Risk 7: Gain access or insert files into file system

Summary: An attacker may perform a directory traversal attack by combining the previous risks to specify a file name and parent directory sequence to access the root of the file system. The attacker could then issue a ProcessQueueFile command to insert, create, or overwrite files.

Resolution: SalesLogix will prevent uploading arbitrary files to the SalesLogix server by adding “ProcessQueueFile” to the header of a socket request.

PREVENTION:

SalesLogix v6.0 requires an upgrade to SalesLogix v6.1 with appropriate patches as described in the following paragraph.

SalesLogix v6.1 Service Pack 2 with Hot Fix 6 must be applied at minimum. SalesLogix v6.1 Service Pack incorporates Hot Fix 5 and 6.

SalesLogix v 6.2 resolves the previous risks. Due to encryption overhead, the encryption of data between the SalesLogix Provider (Web Host or Client) and the SalesLogix Server is disabled by default since this data transfer is limited to the local network. To enable encryption:

1.       Open the SLXLocalServers.xml file on the SalesLogix Server.

2.       Change <Encryption type =”0”/> to <Encryption type =”1”/> in both locations in the file.

3.       Save the changes to the SLXLocalServers.xml file and restart the SLX Server (all SLX services).

 

For more general information on SalesLogix for the Pocket PC, please contact Stephanie Smith stephanies@dsdinc.com. If you have question of a technical nature, please contact John Maul johnm@dsdinc.com.

 
This monthly newsletter is sent to DSD Business Systems customers and partners. If you do not wish to receive this publication, please reply with the Subject "Remove" and we'll exclude you from receiving it.

All prices and offers are subject to change without notice. Copyright 2004 , DSD Business Systems, San Diego, CA. All rights reserved.