Probably not really a bug, but in my point of view a severe security problem:
When you import a virtual domain using a unix account (virtual-servers->import virtual server), you have to specify the account password. The problems are:
1. this password is stored in the file "/etc/webmin/virtual-server/domains/randomnumbers" in clear letters! Shouldnt be so, as even root should not have a to easy a chanche to find out the users passwords
2. even worse in my point of view: the password is provided in the environmental variable to ANY PHP-Script, which means even phpinfo shows as Environment:
VIRTUALSERVER_USER name of user can be seen here!
VIRTUALSERVER_PASS the clear password can be seen here!
I don´t dare to speak of all the webmasters, who have somewhere in their website at least one script simply outputting phpinfo...
An attacker would easily by thus have access to usernames and passwords!
At least there should be one warning when enetring the password, that it will be provided in the Environmental-variable to any php-script. It would probably be better to md5() it, or even not to provide it at all.
Would appreciate your feedback