RoundCube password plugin setup

shillongserver · August 4, 2021, 7:01pm

OS type and version: Ubuntu 20.04.2
Webmin version: 1.973
Virtualmin version: 6.16
RoundCube version: 1.4.11

I m trying to add the password plugin to Roundcube using this Medium guide.

After following the above guide, I tailed the Roundcube error.logs file and then tried to change the password via Roundcube which return a Could not save new password error dialog box and the logs indicated that the problem was with the username:

No user named johndoe-example.com was found in the server example.com

So with the hep of @pdropi’s comment in this other Virtualmin forum thread, I used the str_replace function on the username variable in drivers/virtualmin.php and the password was changed successfully via Roundcube.

However, I came across yet another Virtualmin forum thread where @Ilia said:

Even though with mentioned implementation above it would still be possible to change other users passwords. No acceptable as well. The right way would be is to check on C script for current unix user and make sure that it equals passed --user param.

So my question is: Is the current setup that I have above safe or should I undo the above changes and use @Ilia’s commit from Github?

Gomez_Adams · August 4, 2021, 7:17pm

Why would you need a password plugin. You can change the password in Roundcube either by using the Roundcube dialogue itself or by using phpmyadmin.

I’m genuinely curious.

shillongserver · August 4, 2021, 7:21pm

The mailboxes are used by my clients and I would rather they change their password via Roundcube itself rather than via Usermin (or as you mentioned, PhpMyAdmin).

Not sure what you mean by Roundcube dialogue though.

Gomez_Adams · August 4, 2021, 7:39pm

On mine it’s in the settings menu. You just click settings and it’s about the 4th or 5th option down right below responses.

shillongserver · August 4, 2021, 7:42pm

Your Roundcube installation probably has the plugin pre-configured or something because that option shows up only if the password plugin is set-up.

Gomez_Adams · August 4, 2021, 7:59pm

I wasn’t aware of that. Thanks for the education.

Ilia · August 4, 2021, 8:41pm

What provides RoundCube (at the moment) for Virtualmin to change user password is both wrong and very dangerous (as it is practically a root capable exploit).

I provided the patch in C, which you should use (if you really need this feature).

shillongserver · August 5, 2021, 5:45am

I re-compiled the C file with the changes from your commit after removing the previous executable but now if I try to change the password via Roundcube, it fails and the following is logged:

PHP Error: Password plugin: Unable to execute /home/example/public_html/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user 'johndoe@example.com' not known to Virtualmin in /home/example/public_html/plugins/password/drivers/virtualmin.php on line 47 (POST /?_task=settings&_action=plugin.password-save)

Reverting the str_replace modification made didn’t help either and just return the same error but with the - instead of the @:

PHP Error: Password plugin: Unable to execute /home/example/public_html/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user 'johndoe-example.com' not known to Virtualmin in /home/example/public_html/plugins/password/drivers/virtualmin.php on line 47 (POST /?_task=settings&_action=plugin.password-save)

Ilia · August 5, 2021, 1:06pm

This question should be addressed to RoundCube team indeed.

I presume there are extra modifications needed on their side to be done to support updated command.

shillongserver · August 5, 2021, 1:58pm

Oh ok, I’ll do that. I’ll raised an issue on their GitHub repo and provide a link to this thread on it as well.

Cheers @Ilia!!

system · August 13, 2021, 1:59pm

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.