Protected Web Directories (under home directory) option under 'Extra modules available to server administrators '.

When you want to enable this module for your hostings, so they can easily create password protected dirs.

If an admin in :10000/htaccess-htpasswd/index.cgi fills in '/' in the search box (find existing), and let it search, then all the virtualmin users can see and change all the password protected dirs!

How come this is possible?
Users can also create cronjobs that do things like ls /
They can then see everything on the server.

Severe bugs?

All the users are created by virtualmin itself.

Bug solved, fix is very simple.

How to create bug:
https://dom.com:10000/config.cgi?virtual-server
Extra Webmin modules for server administrators: select password protected dirs

Then enable under 'Extra modules available to server administrators ' (mind the small difference) the
'password protected dirs', set it to yes.

Find all the existing protected dirs by /.

Then remove the first protected dir option again and let the lowest protected dir on yes.

Users will still have full access to all protected dirs!


Other BIG BUG:
When you set 'Scheduled Cron Jobs (user's Cron jobs)' to yes, a user can simply input the following command in the cron:
ls /
He can then see everything hosted!