RoundCube password plugin setup

OS type and version: Ubuntu 20.04.2
Webmin version: 1.973
Virtualmin version: 6.16
RoundCube version: 1.4.11

I m trying to add the password plugin to Roundcube using this Medium guide.

After following the above guide, I tailed the Roundcube error.logs file and then tried to change the password via Roundcube which return a Could not save new password error dialog box and the logs indicated that the problem was with the username:

No user named was found in the server

So with the hep of @pdropi’s comment in this other Virtualmin forum thread, I used the str_replace function on the username variable in drivers/virtualmin.php and the password was changed successfully via Roundcube.

However, I came across yet another Virtualmin forum thread where @Ilia said:

Even though with mentioned implementation above it would still be possible to change other users passwords. No acceptable as well. The right way would be is to check on C script for current unix user and make sure that it equals passed --user param.

So my question is: Is the current setup that I have above safe or should I undo the above changes and use @Ilia’s commit from Github?

Why would you need a password plugin. You can change the password in Roundcube either by using the Roundcube dialogue itself or by using phpmyadmin.

I’m genuinely curious.

The mailboxes are used by my clients and I would rather they change their password via Roundcube itself rather than via Usermin (or as you mentioned, PhpMyAdmin).

Not sure what you mean by Roundcube dialogue though.

On mine it’s in the settings menu. You just click settings and it’s about the 4th or 5th option down right below responses.

Your Roundcube installation probably has the plugin pre-configured or something because that option shows up only if the password plugin is set-up.

I wasn’t aware of that. Thanks for the education.

What provides RoundCube (at the moment) for Virtualmin to change user password is both wrong and very dangerous (as it is practically a root capable exploit).

I provided the patch in C, which you should use (if you really need this feature).

I re-compiled the C file with the changes from your commit after removing the previous executable but now if I try to change the password via Roundcube, it fails and the following is logged:

PHP Error: Password plugin: Unable to execute /home/example/public_html/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user '' not known to Virtualmin in /home/example/public_html/plugins/password/drivers/virtualmin.php on line 47 (POST /?_task=settings&_action=plugin.password-save)

Reverting the str_replace modification made didn’t help either and just return the same error but with the - instead of the @:

PHP Error: Password plugin: Unable to execute /home/example/public_html/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user '' not known to Virtualmin in /home/example/public_html/plugins/password/drivers/virtualmin.php on line 47 (POST /?_task=settings&_action=plugin.password-save)

This question should be addressed to RoundCube team indeed.

I presume there are extra modifications needed on their side to be done to support updated command.

Oh ok, I’ll do that. I’ll raised an issue on their GitHub repo and provide a link to this thread on it as well.

Cheers @Ilia!!

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.