- Could be updated with the list of current default enabled plugins (archive,zipdownload,managesieve,markasjunk)
- Provide a list of available bundled plugins (with the exact name allowed to input on Settings → Advanced → Plugins).
Would be event better to be able to select and add available plugins from a list.
For instance, I tried writing some random plugin name (like nextcloud) on the plugins field but it is not available within the bundled ones.
The plugins field has no validation (accept spaces and any other character).
Even though there are user restrictions and container isolation, tried to do some “security hack” (path traversal or some other) through the plugins field, but don’t know / cannot remember any… No security expert here.
Edit: almost by chance broke roundcube webpage rendering through php injection?:
By pasting exec("ping -c 4 " . $_GET['host'], $output); echo "<pre>"; print_r($output); echo "</pre>"; (something found on a random security webpage) in plugins field. Not saying that exec() worked but some part of the code did.
2024-03-13T01:38:50+01:00 [1:roundcubemail1:roundcubemail-app] [Wed Mar 13 00:38:50.173513 2024] [php:error] [pid 142] [client 10.0.2.100:60628] PHP Parse error: syntax error, unexpected identifier "host", expecting "]" in /var/www/html/config/config.docker.inc.php on line 9, referer: http://roundcube2.ns8.test/?_task=addressbook&_source=0&_gid=
2024-03-13T01:39:24+01:00 [1:roundcubemail1:roundcubemail-app] [Wed Mar 13 00:39:24.618716 2024] [php:error] [pid 143] [client 10.0.2.100:35838] PHP Parse error: syntax error, unexpected identifier "host", expecting "]" in /var/www/html/config/config.docker.inc.php on line 9, referer: http://roundcube2.ns8.test/?_task=mail&_mbox=INBOX2.632200 2024] [php:error] [pid 144] [client 10.0.2.100:43072] PHP Parse error: syntax error, unexpected identifier "host", expecting "]" in /var/www/html/config/config.docker.inc.php on line 9
Edit: code can be injected in config.docker.php file.