0

Well, I have a dedicated hosting server service and it has a Plesk panel for its administration, as many will know Plesk comes with RoundCube as the default service for webmail access.

My issue is that the users of a created email account do not have direct control over the options of their account, that is, with the current configuration they cannot directly change their password from the webmail service or do other administrative activities on their account. However, if when creating an email account in Plesk I activate the "can be used to log in to Plesk" function, the user can use their email address and password as a user to enter on Plesk login to a limited panel of functions that allows them to do such activities I mentioned above, it even has the direct option on the panel of "Open Webmail" and these gets me to my question.

When you use this option, it sends you to the webmail service address with the following link "https://webmail.yourdomain.tld/roundcube/index.php?_user=usersaccount%40yourdomain.tld" and this takes you to the login page of RoundCube with the user field already filled with "usersaccount@yourdomain.tld".

Is there a way to also provide RoundCube with the password field as well?

I have tried adding the option "&_pass=userpass" to the end of the link but this does not work, like doing "https://webmail.yourdomain.tld/roundcube/index.php?_user=usersaccount%40yourdomain.tld&_pass=userpass".

My idea is to change the index.php file of the webmail subdomain by one developed that imitates the Plesk login but related to webmail access, that saves the credentials on a temporarily cookie and also modify the link of the "Open Webmail" option to include the password field so that the user can directly to their account, giving the end user a feeling of an integrated platform, something similar to what is currently done in cPanel. Since currently, as it is, the Plesk login is at an distant address from that webmail login part and there is no relationship from RoundCube with the Plesk address that could give the user any hint that they can manage their account without the need for intervention from the server administrator, therefore, as the platform is developed until now, the option for the end user to manage their account directly is almost as if it did not exist.

TheBot
  • 1

1 Answers1

0

I URGE AGAINST DOING THIS. IT IS VERY, VERY BAD FOR SECURITY

I've done a bit of digging, and it is possible to modify the webmail form to inject a password into the password field. I expect it might vary very slightly depending on version, but on Roundcube version 1.6 I could do this by editing on line 2345

/path/to/roundcube/program/include/rcmail_output_html.php

Search for $input_passwordfield and modify this so that it includes a 'value'=>$_REQUEST['_pass'] after the required => required field - ie change

input_pass   = new html_passwordfield(['name' => '_pass', 'id' => 'rcmloginpwd', 'required' => 'required']
        #    + $attrib + $pass_attrib);

to

    $input_pass   = new html_passwordfield(['name' => '_pass', 'id' => 'rcmloginpwd', 'required' => 'required','value'=>$_REQUEST['_pass']]
        + $attrib + $pass_attrib);

AGAIN - DON'T DO THIS.

I note that for a start this allows people to bookmark the URL with the password in it. You may be able to mitigate this by using a $_POST and submitting it with a form.

I also have not bothered with any kind of sanity checking for the input. No idea what effect this has.

Of-course, this all begs the question "why is the password stored in plain text in the first place that you can do this.

davidgo
  • 73,366