RainLoop
Additional config not parsed, resulted in exposed admin with default password
RainLoop version, browser, OS: rainloop-community-1.12.1, N/A, Docker image php:7.2-apache
Part of the Mailu mail distribution.
Expected behavior and actual behavior:
Configuration file defined in __get_additional_configuration_name() in include.php is not parsed when application.ini is not present. application.ini only gets generated when any setting is changed in the admin interface.
Using the above, we used to include a .ini file which specified:
[security]
allow_admin_panel = Off
I'm relatively new to that project, but this way of configuring was introduced around 3 years ago. I assume it worked back then and got broken somewhere between then and now. This resulted in a security bug: Mailu/Mailu#947. Which basically exposed the admin interface with the default password for many of our users!
Steps to reproduce the problem:
/var/www/html/include.php:
<?php
// Rename this file to "include.php" to enable it.
/**
* @return string
*/
function __get_custom_data_full_path()
{
return '/data/'; // custom data folder path
}
/**
* @return string
*/
function __get_additional_configuration_name()
{
return 'config.ini';
}
/data/_data_/_default_/configs/config.ini:
; RainLoop Webmail configuration file
[webmail]
attachment_size_limit = {{ MAX_FILESIZE }}
[security]
allow_admin_panel = Off
[labs]
allow_gravatar = Off
Logs or screenshots: No logs found explaining a faulty config or exposed admin.
I feel it is better that application.ini would be part of the installation.
And also that allow_admin_panel should default to Off.
Just found this the hard way too, I think it would be better to distribute a complete application.ini with sensible secure defaults and a random user or password when its first started.
A mechanism to encrypt a secret password on the cli before booting for the first time would be useful too.