You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Configuration file defined in __get_additional_configuration_name() in include.php is not parsed when application.ini is not present. application.ini only gets generated when any setting is changed in the admin interface.
Using the above, we used to include a .ini file which specified:
[security]
allow_admin_panel = Off
I'm relatively new to that project, but this way of configuring was introduced around 3 years ago. I assume it worked back then and got broken somewhere between then and now. This resulted in a security bug: Mailu/Mailu#947. Which basically exposed the admin interface with the default password for many of our users!
Steps to reproduce the problem:
/var/www/html/include.php:
<?php
// Rename this file to "include.php" to enable it.
/**
* @return string
*/
function __get_custom_data_full_path()
{
return '/data/'; // custom data folder path
}
/**
* @return string
*/
function __get_additional_configuration_name()
{
return 'config.ini';
}
/data/_data_/_default_/configs/config.ini:
; RainLoop Webmail configuration file
[webmail]
attachment_size_limit = {{ MAX_FILESIZE }}
[security]
allow_admin_panel = Off
[labs]
allow_gravatar = Off
Logs or screenshots:
No logs found explaining a faulty config or exposed admin.
The text was updated successfully, but these errors were encountered:
Just found this the hard way too, I think it would be better to distribute a complete application.ini with sensible secure defaults and a random user or password when its first started.
RainLoop version, browser, OS:
rainloop-community-1.12.1, N/A, Docker image php:7.2-apache
Part of the Mailu mail distribution.
Expected behavior and actual behavior:
Configuration file defined in
__get_additional_configuration_name()
ininclude.php
is not parsed whenapplication.ini
is not present.application.ini
only gets generated when any setting is changed in the admin interface.Using the above, we used to include a
.ini
file which specified:I'm relatively new to that project, but this way of configuring was introduced around 3 years ago. I assume it worked back then and got broken somewhere between then and now. This resulted in a security bug: Mailu/Mailu#947. Which basically exposed the admin interface with the default password for many of our users!
Steps to reproduce the problem:
/var/www/html/include.php
:/data/_data_/_default_/configs/config.ini
:Logs or screenshots:
No logs found explaining a faulty config or exposed admin.
The text was updated successfully, but these errors were encountered: