Researcher Alerts the Public to KeePass's Security Flaw

A minor security flaw has been found in KeePass, according to the program's inventor.

Private security researcher claims to have found a remotely exploitable security weakness in KeePass, the free, open-source password manager.

On the other hand, KeePass's creator describes the flaw as modest and unlikely to be utilized in an assault by an adversary.

Researcher Benjamin Kunz Mejri of Vulnerability Lab uncovered the flaw in KeePass Password Manager up to and including version 1.22.

Upon successful exploitation, an attacker with access to a machine running KeePass could inject malicious content by sending a specially crafted file to the HTML/XML export feature.

As Kunz Mejri noted in his blog post, an attacker would require a URL altered with malicious script code, a log server with reading/write/execute (chmod 777) access, a listing file, and an actual victim is using KeePass v1.22.

Kunz Mejri cautioned that once the flaw is exploited, the attacker will collect plain password lists, among other assaults.

Because attackers must gain local access to a vulnerable machine and trick users into doing specific actions to import malicious content without realizing it, the security flaw has been classified as "medium."

Dominik Reichl, a developer of KeePass, told Threatpost that he believes the vulnerability is minimal.

A user to insert harmful data without their knowledge, export the database to an HTML file, and access it," explains a security expert.

Reichl said that KeePass Version 1.23, due out in a few months, will include a patch for the problem.

KeePass' development version has been updated to include the patch.

It is remotely exploitable, according to Kunz Mejri.

It's remote (sp) exploitable if, for example, I alter a login page with malicious script code, and you, as a keypass user, save it via auto URL type, he said.

Open-source password manager KeePass is offered under the GPL license and is free and open-source software.

Initially published in 2006, the program was created for persons who must manage access to dozens (or more) of different Websites and apps.

For programs and Web sites, it allows users to save their login credentials securely, then accesses them with a single password, regardless of the operating system they're using.

Not the only password management tool to have security issues.

It was discovered that KeePass's primary competitor, LastPass, had a critical security weakness that could be exploited to divulge essential account data.

After finding a broader security issue on its site in May 2011, the site recommended that clients change their passwords.