Release 2.1.26 introduces a couple of fixes and some new features.
An arbitrary file download web vulnerability has been discovered and was patched by denying access to the
downloadFile.php without authentication.
Fixes related the implementation of
OWASP CSRF Protector Project library which securises Teampass against Cross Site Request Forgery.
Security fixes on some missed queries and on non-protected text fields.
Improvement of Syslog entries
Shown and clipboard copied passwords are now send to Syslog.
Upgrade script manager
A new script manager for upgrades has been created in order to secure future upgrades.
NEW ROLE - Rights Manager
Human Resources role has been introduced. It permits a User to manage all Users independately of his/hers group.
Notice that he will be also promoted to Manager role, and that he will not be able to change an existing administrator.
NEW FEATURE - Remote server password change
This new feature permits to perform the password change on a remote server to be synchronized with the Teampass Item.
Minor (but interesting) Changes
Some changes that may interest you:
- Estonian language was added
- Any new sub-folder created by a user needs to have a minimum complexity level at least equal to the top-folder one. Note that this restriction is not applied for Manager and Administrator roles.
- After 3 bad login attemps, the user needs to wait 10 seconds before a new attempt.
Security analysis with RIPS
Teampass was analyzed for security bugs with RIPS by Risptech.
This analysis identified mainly 2 issues:
- security issue in API with the usage of
parse_str(which has been removed)
- potential issue using
$_SESSIONwhich will be removed by the introduction of the configuration file instead of
The complete list of changes tracked in Github are available in