This file is indexed.

/etc/squirrelmail/secure-login-config.php is in squirrelmail-secure-login 1.4-3.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
<?php

/**
  * SquirrelMail Secure Login Plugin
  * Copyright (c) 2002 Graham Norbury <gnorbury@bondcar.com>
  * Copyright (c) 2003-2008 Paul Lesniewski <paul@squirrelmail.org>
  * Licensed under the GNU GPL. For full terms see the file COPYING.
  *
  * @package plugins
  * @subpackage secure_login
  *
  */

   global $change_back_to_http_after_login, $remain_in_https_if_logged_in_using_https,
          $allVirtualDomainsUnderOneSSLHost, $sl_securePort, $nonStandardHttpPort,
          $sl_debug, $entryPointDomainPattern, $entryPointPathPattern, 
          $entryPointQueryPattern, $sl_obey_x_forwarded_headers;



   // if you want user sessions to remain in SSL for their entire duration, 
   // set the following to zero:
   //
   $change_back_to_http_after_login = 0;



   // if you want user sessions to remain in SSL only if they originally came
   // in thru SSL (this plugin didn't need to redirect them), set the following 
   // to one:
   //
   $remain_in_https_if_logged_in_using_https = 0;



   // for sites that host all SSL requests for virtual domains 
   // off of a single host URI (commonly used for SSL implementations 
   // using just one certificate for all hosts), where the correct
   // URIs to the SquirrelMail login page look like:
   //
   // https://www.onedomain.com/virtualdomain.com/mail/src/login.php
   //
   // or:
   //
   // https://www.onedomain.com/mail/src/login.php?domain=virtualdomain.com
   //
   // set this value to the pattern that will reproduce the correct
   // SSL URI to the Squirrelmail login page.  Substitutions you can use:
   //
   // ###DOMAIN###  --  The full domain from the original http request,
   //                   such as virtualdomain.com
   // ###PATH###    --  The pah/directory information from the original
   //                   http request, such as /mail or /mail/src/login.php
   // ###QUERY###   --  The query string from the original http request,
   //                   such as ?mynameis=pavel&color=green
   // 
   // The two examples below construct URI patterns just like
   // the URIs given above.
   //
   // $allVirtualDomainsUnderOneSSLHost = 'https://www.onedomain.com/###DOMAIN######PATH###';
   // $allVirtualDomainsUnderOneSSLHost = 'https://www.onedomain.com/mail/src/login.php?domain=###DOMAIN###';
   //
   // NOTE that this setting can also be useful in scenarios where you 
   // need fine-grained control over the encrypted URI, even when the 
   // URI is different for any virtual hosts you may have.  For example:
   //
   // $allVirtualDomainsUnderOneSSLHost = 'https://secret.###DOMAIN###/secret_mail/src/login.php###QUERY###';
   //
   $allVirtualDomainsUnderOneSSLHost = '';



   // the above $allVirtualDomainsUnderOneSSLHost setting assumes that the
   // original plain (unencrypted) http request comes from a URI such as:
   // 
   // http://virutaldomain.com/mail/src/login.php
   //
   // however, if your entry point will also be in a similar format, such as:
   // 
   // http://www.onedomain.com/virtualdomain.com/mail/src/login.php
   //
   // or:
   //
   // http://www.onedomain.com/mail/src/login.php?domain=virtualdomain.com
   //
   // set these values each to a regular expression that will capture:
   //
   //   the domain portion of the URI in the first group (set of parenthesis)
   //   the path portion of the URI in the first group (set of parenthesis)
   //   the query portion of the URI in the first group (set of parenthesis)
   // 
   // otherwise, leave these all set to empty strings.
   //
   // The two examples below pick the domain, path and query string out of 
   // the sample URIs given above.
   //
   // $entryPointDomainPattern = '/[\/]+.+?\/(.+?)(\/|$)/';
   // $entryPointPathPattern   = '/[\/]+.+?\/.+?(\/.*?)(\?|$)/';
   // $entryPointQueryPattern  = '/(\?.*)/';
   //
   // $entryPointDomainPattern = '/domain=(.+?)(&|$)/';
   // $entryPointPathPattern   = '/[\/]+.+?(\/.*?)(\?|$)/';
   // $entryPointQueryPattern  = '/(\&.*)/';
   //
   // NOTE that these settings can also be useful in scenarios where you
   // need better control over the domain parsing of the original entry
   // URI.  This should only be used if the auto-sensing behavior of the
   // plugin will not work.  For example:
   //
   $entryPointDomainPattern = '';
   $entryPointPathPattern   = '';
   $entryPointQueryPattern  = '';



   // by default, https requests are made without explicitly defining the
   // port number.  if you use a non-standard port for serving http requests, 
   // that port will be preserved for the https redirection, which may break
   // your squirrelmail.
   // 
   // if your server listens for https requests on a non-standard port or
   // the above situation applies to you (non-standard http port), you can 
   // specify a non-standard https port number here (or remove it, forcing 
   // the browser use the default port (443)).
   // 
   // if you use this setting, remember to remove the slashes in front of it
   //
   // $sl_securePort = '';
   // $sl_securePort = '888';
   $sl_securePort = '443';



   // if you are running regular HTTP requests on a non-standard port
   // (anything besides port 80), please specify that value here
   // if you are using port 80, then you should leave this value empty
   //
   //$nonStandardHttpPort = '80';
   $nonStandardHttpPort = '';



   // If you run SquirrelMail behind a proxy server, where the
   // client domain information is in X_FORWARDED_* headers,
   // enable this setting (set it to 1), otherwise, leave this
   // off (zero) to reduce the chance that someone can try to
   // forge the hostname in their request headers.
   //
   // $sl_obey_x_forwarded_headers = 1;
   $sl_obey_x_forwarded_headers = 0;



   // turn this on for debugging purposes only
   //
   // 1 = show server environment upon entry
   // 2 = show redirect URI and server environment
   //
   $sl_debug = 0;