Release 2.1.26 introduces a couple of fixes and some new features.

Get last release

Main Changes

Security

An arbitrary file download web vulnerability has been discovered and was patched by denying access to the downloadFile.php without authentication.

Fixes related the implementation of OWASP CSRF Protector Project library which securises Teampass against Cross Site Request Forgery.

Security fixes on some missed queries and on non-protected text fields.

Improvement of Syslog entries

Shown and clipboard copied passwords are now send to Syslog.

Upgrade script manager

A new script manager for upgrades has been created in order to secure future upgrades.

NEW ROLE - Rights Manager

Human Resources role has been introduced. It permits a User to manage all Users independately of his/hers group. Notice that he will be also promoted to Manager role, and that he will not be able to change an existing administrator.

NEW FEATURE - Remote server password change

This new feature permits to perform the password change on a remote server to be synchronized with the Teampass Item.

Read more about it

Minor (but interesting) Changes

Some changes that may interest you:

  • Estonian language was added
  • Any new sub-folder created by a user needs to have a minimum complexity level at least equal to the top-folder one. Note that this restriction is not applied for Manager and Administrator roles.
  • After 3 bad login attemps, the user needs to wait 10 seconds before a new attempt.

Security analysis with RIPS

Teampass was analyzed for security bugs with RIPS by Risptech.

This analysis identified mainly 2 issues:

  • security issue in API with the usage of parse_str (which has been removed)
  • potential issue using $_SESSION which will be removed by the introduction of the configuration file instead of $_SESSION variable.

Github tickets

The complete list of changes tracked in Github are available in changelog.md file.

Roadmap for release 2.1.27

  • Implement usage of configuration file
  • Implement new encryption library PHP-Encryption which permits to ensure a high level of security of your passwords. For more information, please read more
  • Implement of third party 2FA connection AGSES