OS type and version: Ubuntu 20.04.2 Webmin version: 1.973 Virtualmin version: 6.16 RoundCube version: 1.4.11
I m trying to add the password plugin to Roundcube using this Medium guide.
After following the above guide, I tailed the Roundcube error.logs file and then tried to change the password via Roundcube which return a Could not save new password error dialog box and the logs indicated that the problem was with the username:
No user named johndoe-example.com was found in the server example.com
So with the hep of @pdropi’s comment in this other Virtualmin forum thread, I used the str_replace function on the username variable in drivers/virtualmin.php and the password was changed successfully via Roundcube.
Even though with mentioned implementation above it would still be possible to change other users passwords. No acceptable as well. The right way would be is to check on C script for current unix user and make sure that it equals passed --user param.
So my question is: Is the current setup that I have above safe or should I undo the above changes and use @Ilia’s commit from Github?
The mailboxes are used by my clients and I would rather they change their password via Roundcube itself rather than via Usermin (or as you mentioned, PhpMyAdmin).
Not sure what you mean by Roundcube dialogue though.
What provides RoundCube (at the moment) for Virtualmin to change user password is both wrong and very dangerous (as it is practically a root capable exploit).
I provided the patch in C, which you should use (if you really need this feature).
I re-compiled the C file with the changes from your commit after removing the previous executable but now if I try to change the password via Roundcube, it fails and the following is logged:
PHP Error: Password plugin: Unable to execute /home/example/public_html/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user 'johndoe@example.com' not known to Virtualmin in /home/example/public_html/plugins/password/drivers/virtualmin.php on line 47 (POST /?_task=settings&_action=plugin.password-save)
Reverting the str_replace modification made didn’t help either and just return the same error but with the - instead of the @:
PHP Error: Password plugin: Unable to execute /home/example/public_html/plugins/password/helpers/chgvirtualminpasswd or domain for mail-user 'johndoe-example.com' not known to Virtualmin in /home/example/public_html/plugins/password/drivers/virtualmin.php on line 47 (POST /?_task=settings&_action=plugin.password-save)