Crucial: roundcubemail always writes debug logs!

Henning henne.gwath at
Thu May 29 21:49:59 CEST 2014


I found the root of the problem in the file
/usr/share/roundcubemail/plugins/kolab_auth/kolab_auth.php, there it reads:

        // Enable debug logs per-user, this enables logging only after
        // user has logged in
        if (!empty($_SESSION['username']) &&
$rcmail->config->get('kolab_auth_auditlog')) {
            $rcmail->config->set('debug_level', 1);
            $rcmail->config->set('devel_mode', true);
            $rcmail->config->set('smtp_log', true);
            $rcmail->config->set('log_logins', true);
            $rcmail->config->set('log_session', true);
            $rcmail->config->set('memcache_debug', true);
            $rcmail->config->set('imap_debug', true);
            $rcmail->config->set('ldap_debug', true);
            $rcmail->config->set('smtp_debug', true);
            $rcmail->config->set('sql_debug', true);

            // SQL debug need to be set directly on DB object
            // setting config variable will not work here because
            // the object is already initialized/configured
            if ($db = $rcmail->get_dbh()) {

The option kolab_auth_auditlog is enabled by default. According to the
comment line it seems to be reasonable...

// Enable audit logging for abuse of administrative privileges.
$rcmail_config['kolab_auth_auditlog'] = true;

Why, has the kolab_auth_auditlog to enable debugging for all users,
always? There are plaintext passwords logged verbosely, although
disabled by global roundcube settings! Is this intended?

For the moment, I just commented the whole php code block postet above.


Am 29.05.2014 18:07, schrieb Henning:
> No, it can't be disabled! Setting logging to syslog and disable it from
> there.
> Am 29.05.2014 17:59, schrieb Henning:
>> Hi,
>> I just noticed, that, although set
>> $config['debug_level'] = 1;
>> $config['ldap_debug'] = false;
>> roundcubemail is logging verbose (including plaintext passwords!).
>> This can be only disabled by setting
>> $config['debug_level'] = 0;
>> Is this intended? Logging enabled means password logging? Couldn't!
>> Henning

More information about the users mailing list