Headline
CVE-2021-44037: Team Password Manager Change log
Team Password Manager (aka TeamPasswordManager) before 10.135.236 allows password-reset poisoning.
Current Team Password Manager version: 10.135.236
- Home/
- Documentation/
- Change log
10.135.236 - 20211112
- API v5. See the API changelog here: Changes from API v4 to API v5.
- Custom fields of type One Time Password.
- Custom fields of type Date.
- Corrected CSRF vulnerability in import (Security Advisory SYSS-2021-059).
- Password reset URL to prevent password reset poisoning (Security Advisory SYSS-2021-060).
- Files: Info button and View and Edit button in Notes column.
- When uploading, updating and deleting files in passwords and projects, update the updated fields.
- File id logged for linked passwords is the linked file id, not the original one (the source file access is logged too, with the original file id).
- Show the Id of users and groups in the UI.
- Show the Id of passwords, projects and my passwords in the UI.
- Linked passwords: show updated fields in sidebar in Linked section, not Source.
- API (v4 and v5) request show a password (GET /passwords/ID.json): security data (users_permissions and groups_permissions) are only available to users with manage permission.
- Security and Log tab of passwords only available to the password managers (also API request /security, for v4 and v5).
- Help in LDAP screens: "If you’re using AD, put the attributes in lowercase".
- Roles: put IT after Admin in help and dropdowns.
- Bug: errors if a Login DN has the pipe (|) character.
- Patch 9.125.225.536: API (v4) errors when creating/updating users in certain conditions.
- Patch 9.125.225.527: empty passwords in API responses return false, they should return an empty string.
- Patch 9.125.225.512: Bad search filter when [DN] is being replaced by groups with backslashes.
- Patch 9.125.225.508: correct a bug that didn’t correctly process the Exceptions in the Automatic Blocking Settings.
- Language files v.12.
Patch 9.125.225.536 - 20210818
It corrects a bug by which creating and updating users in certain conditions in API (v4) failed.
* IMPORTANT: this patch is only valid for Team Password Manager v. 9.125.225.
To install:
Copy api_users.php
to the wmm/controllers/api_v4/
folder, replacing the current file.
Download patch 9.125.225.536 (MD5 Hash: 4ea071da4adc7e068318a0ab315efd10)
Patch 9.125.225.527 - 20210803
It corrects a bug by which empty passwords in API (v4) responses returned false, returning now an empty string.
* IMPORTANT: this patch is only valid for Team Password Manager v. 9.125.225.
To install:
Copy api_pwd.php
to wmm/controllers/api_v4/
, replacing the current file.
Copy api_mypwd.php
to wmm/controllers/api_v4/
, replacing the current file.
Download patch 9.125.225.527 (MD5 Hash: 782460ea7508243989c9ffe50ca356cc)
Patch 9.125.225.512 - 20210630
It escapes the Group DN backslashes (if it has them) when replacing [DN] with the Group DN in a LDAP Sync object of type "Add/update groups and sync members".
* IMPORTANT: this patch is only valid for Team Password Manager v. 9.125.225.
To install:
Copy m_ldap.php
to the wmm/models
folder, replacing the current file.
Download patch 9.125.225.512 (MD5 Hash: acd889c7d5acca1432133fcbf1ae7130)
Patch 9.125.225.508 - 20210526
It corrects a bug that didn’t correctly process the Exceptions in some cases in the Automatic Blocking Settings (Automatic IP Address Blocking).
* IMPORTANT: this patch is only valid for Team Password Manager v. 9.125.225.
To install:
Copy m_ipb.php
to the wmm/models
folder, replacing the current file.
Download patch 9.125.225.508 (MD5 Hash: d92542a3ba1a5171ed1a2abe7dd15421)
9.125.225 - 20210430
- SAML SSO Authentication.
- SAML user provisioning using LDAP.
- Browser extension backend.
- Make 400, 403 and 404 prettier and custom 403 and 404 messages.
- Prevent Firefox from autofilling the email field in passwords (and my password) and other forms.
- Base DN optional in LDAP sync and LDAP import.
- Non-IT/Admin users cannot change their own username.
- Bug that prevented disabling 2FA.
- Put “New User Options” button actions in “New User” dropdown.
- Language files v.11.
7.120.220 - 20201216
- Optimize Projects Tree Loading.
- Replace jQuery 1.12.2 with jQuery 3.5.1.
- Bug: if before login a deeplink was requested and the user had 2fa, it went to the last visited page instead of the requested one.
- Bug: LDAP import: Username got a default value of “sn” and Name 2 got a default value of “sn” if no value was entered.
- Bug: sometimes upgrades halted with "Error enabling linked passwords".
7.118.217 - 20200814
- Archived passwords.
- Go to the last visited page after login (unless another specific page is requested before login).
- Changes in project security screen: rearrange screen in tabs, see all members of groups, bulk permission change.
- Changes in password security screen: rearrange screen in tabs, see all members of groups, bulk permission change.
- Sender email and name in email settings.
- Rearrange password screen action buttons.
- PHP 7.4 support.
- Optimize log pages speed and prevent the memory exhausted error.
- Optimize project creation (specially if there are lots of users).
- Other small optimizations.
- Bug: permissions changed on a project (grant all) didn’t correctly propagate to its subprojects if the subprojects were set to individual permissions and user/groups were set to inherit.
- Bug: when generating a new password after deleting the current one sometimes it wasn’t possible (You need to delete the current password if you want to generate a new one!).
- Bug: the projects list in the right sidebar always showed 1 as the number of passwords of the projects.
- Language files v10.
7.109.212 - 20200205
- Linked passwords, see https://teampasswordmanager.com/docs/linked-passwords/.
- Linked passwords search operators (is:linked, is:not_linked, has:linked).
- Advanced search operator is:not_locked (searches only passwords that are not locked, the opposite of is:locked).
- Change font in passwords to show differences between zero and capital o (font-family: Menlo, Monaco, Consolas, 'Courier New’, monospace).
- Option to disable password reset (“Forgot your password?” in the sign in screen).
- BUG: can move passwords in archived projects (in some circumstances).
- BUG: copy to clipboard bug that slowed down copy to clipboard and created more than one CC event (Patch 7.103.208.402).
- When duplicating or copying a password, no locking or external sharing information is copied (only data are copied).
- Language Files v.9.
Patch 7.103.208.402 - 20200124
It corrects a copy to clipboard bug that slowed down copy to clipboard and created more than one copy to clipboard event in some cases.
* IMPORTANT: this patch is only valid for Team Password Manager v. 7.103.208.
To install:
* Copy the following file into the wmm/views/main
folder (replacing the current one):
v_main_tree.php
* Copy the following files into the wmm/views/pwd
folder (replacing the current ones):
v_list_clipboard.php
v_view_clipboard.php
v_view_external_sharing.php
v_view_notes_clipboard.php
Download patch 7.103.208.402 (MD5 Hash: 06aea33ba5b5a27f05233daeb22a3877)
7.103.208 - 20191227
- Replace input with textarea in Base DN and Filter fields when editing LDAP sync objects and take out 500 chars limit.
- Maintenance mode (see https://teampasswordmanager.com/docs/maintenance-mode/).
- Bug: Add/update groups and sync members objects use the same Base DN for members as the one for groups in paged searches (patch 7.93.204.368).
- API Security: optionally only allow “API only” users to access the API.
- Copy to clipboard Access, Username and Email fields in lists.
- Disable the following options for COPY_TO_CLIPBOARD: flash and zeroclipboard (only disabled and javascript are valid).
- Change copy to clipboard for better browser compatibility.
- Corrected XSS vulnerability when entering disallowed characters (patch 7.93.204.371).
- XSS vulnerability in the title of some pages. Thanks to Pentagrid for informing about it. (CVE-2019-19461).
- Language Files V8.
- Fix for Adobe cookies like AMCV_9A531C8BXXXX77780A490D4D@AdobeOrg.
- Access field in passwords (and my passwords) greater than 250 characters.
Patch 7.93.204.371 - 20190710
It corrects an XSS vulnerability when entering disallowed characters.
* IMPORTANT: this patch is only valid for Team Password Manager version 7.93.204.
To install: copy Input.php to system/core/Input.php, replacing the current file.
Download patch 7.93.204.371 (MD5 Hash: 607001c2c02d29c47507917bed9549a9)
Patch 7.93.204.368 - 20190624
It corrects a bug where “Add/update groups and sync members” objects use the same Base DN for members as the one for groups in paged searches.
* IMPORTANT: this patch is only valid for Team Password Manager version 7.93.204.
To install: copy m_ldap.php to wmm/models/m_ldap.php, replacing the current file.
Download patch 7.93.204.368 (MD5 Hash: b79a7409601167e65a201680625a9404)
7.93.204 - 20190620
- Option to allow the creation of projects from root for Project Managers and IT users.
- Last signed in and Last API requests in users list.
- Language files v7.
- Tested with PHP 7.3.
- External sharing of passwords: expiration and password.
- LDAP paged searches in LDAP Sync, and an option to turn them off.
- Non-Admin/IT LDAP users cannot change their username.
- Corrected bug: password and repeat password fields didn’t match when in fact they did.
- Corrected bug: bad search filter when [DN] was being replaced by groups with parentheses.
- Corrected bug: some incorrect encodings in tags.
- Replace jstree with 3.3.7 to avoid Chrome deprecation message.
- API v3 is no longer available.
- Corrected bug: HMAC: Request hash does not match the calculated hash error in FPM (patch 7.84.198.332).
- Corrected bug: LDAP Sync (add/update users) updated the user role for existing users (Patch 7.84.198.331).
Patch 7.84.198.332 - 20181221
It corrects a bug that didn’t correctly authenticate the API when using HMAC authentication in FPM/FastCGI.
* IMPORTANT: this patch is only valid for Team Password Manager version 7.84.198. If you have an older version you’re encouraged to upgrade to 7.84.198 and apply this patch.
To install: copy m_usr.php to wmm/models/m_usr.php, replacing the current file.
Download patch 7.84.198.332 (MD5 Hash: 3d1039d94010ec75607eb69d95180c44)
Patch 7.84.198.331 - 20181219
It corrects a bug that updated the user roles when updating users in “Add/update users” actions in LDAP Sync. The role in this type of action is only used when creating new users, not when updating existing ones.
* IMPORTANT: this patch is only valid for Team Password Manager version 7.84.198. If you have an older version you’re encouraged to upgrade to 7.84.198 and apply this patch.
To install: copy m_ldap.php to wmm/models/m_ldap.php, replacing the current file.
Download patch 7.84.198.331 (MD5 Hash: 2d5ceeb43f1ab0cff0954a1d525d3b07)
7.84.198 - 20181210
- PHP 7.1+ compatibility.
- jQuery 1.12.2 (replacing jQuery 1.9.1).
- Add Members Base DN in LDAP Sync for the “Add/update groups and sync members” actions.
Please update the Ioncube Loader to the latest version if you get a message saying that index.php is corrupted. Older versions of the Ioncube Loader can’t read the newest encoded files correctly.
Language packs version 6 - 20181207
For en, es_ES, es_ES_fem, de, de_fem, see the language packs page.
7.82.196 - 20181120
- LDAP Sync.
- LDAP groups.
- SEND_UNLOCKING_NOTIFICATIONS_API config.php parameter.
- Multiple tags search with the tag: operator.
- Accept accents, umlauts in email addresses.
7.80.192 - 20180614 (Released 20181120)
- Password Locking: request and notifications to multiple managers.
- Change email subject encoding.
7.79.190 - 20180426
- Password Locking: request permission to unlock.
- Language packs v4.
- Disallow API access from blocked IPs.
- Correct API only users count.
- Sanitize exported CSV fields.
- Specify server id in the log if there’s a problem signing in with an LDAP user (web and api).
- Correct a couple of bugs that didn’t correctly calculate dates in licenses in some cases.
- SQL injection bugs in: users, groups.
- Privilege escalation bug that allowed to change the language of admin users.
- XSS bugs in some fields in: tags, passwords, my passwords, projects, log, email, ldap, search.
- Correct ¤ conversion in some fields.
7.78.161 - 20171214
- Make the MySQL ONLY_FULL_GROUP_BY mode compatible.
- Changes to allow CGI (FastCGI, FPM, etc.).
- Up to 9 LDAP servers (added 6 more).
- Optimize the log page.
- Language packs v3.
- Integrate the three latest patches from the previous version (7.73.146.197, 7.73.146.200 and 7.73.146.208).
- Expiry notifications are sent to the manager of the project regardless of the role (except Read Only).
- Verify if these modules are installed at install/upgrade: json, filter, session, hash.
- Various bugs and minor corrections.
Patch 7.73.146.208 - 20170606
It corrects a bug where API calls labelled permissions incorrectly (projects and passwords).
* IMPORTANT: this patch is only valid for Team Password Manager version 7.73.146. If you have an older version you’re encouraged to upgrade to 7.73.146 and apply this patch.
To install: copy “h_lookup_helper.php” to the “wmm/helpers” folder, replacing the current “h_lookup_helper.php” file.
Download patch 7.73.146.208 (MD5 Hash: bdf81a795118e11862c7c04fe18c2d5d)
Patch 7.73.146.200 - 20170606
It corrects a bug where languages where not correctly detected if using APP_FOLDER in folder.php.
* IMPORTANT: this patch is only valid for Team Password Manager version 7.73.146. If you have an older version you’re encouraged to upgrade to 7.73.146 and apply this patch.
To install: copy “m_set.php" to the “wmm/models” folder, replacing the current “m_set.php" file.
Download patch 7.73.146.200 (MD5 Hash: dd94e77e89f7a9ea50a732493b3e2d73)
Patch 7.73.146.197 - 20170606
It corrects a bug where the users in the edit security screens of passwords and projects where capped.
* IMPORTANT: this patch is only valid for Team Password Manager version 7.73.146. If you have an older version you’re encouraged to upgrade to 7.73.146 and apply this patch.
To install: copy “m_usr.php” to the “wmm/models” folder, replacing the current “m_usr.php” file.
Download patch 7.73.146.197 (MD5 Hash: 6e2f0a77cc87a24ac6067ca7ab8143b1)
7.73.146 - 20170120
- Added multilanguage support to the help and eula screens, and other missing strings.
- Corrected a couple of bugs to make it production ready.
7.72.144 (Beta v7/3) - 20161228
- Multilanguage support.
- PHP 7 support.
- Date and time format parameter.
- Integrate the two latest patches from the previous version (6.68.138.181 and 6.68.138.182).
- Increment wmm_options.value length to 1000.
- Corrected bug with strange characters in titles of passwords and projects.
- Corrected bug with LDAP import where existing users where not detected.
Patch 6.68.138.182 - 20161103
This patch makes error/exception dumps shorter so that no internal information is exposed.
* IMPORTANT: this patch is only valid for Team Password Manager version 6.68.138. If you have an older version you’re encouraged to upgrade to 6.68.138 and apply this patch.
To install this patch unzip it and copy config/config.php to wmm/config/, replacing the current config.php file. Please do not confuse this config.php file with the main configuration file in the root of the software. The one in this patch goes to wmm/config.
Download patch 6.68.138.182 (MD5 Hash: 05cd8993b246c5887671efb723341b1d)
Patch 6.68.138.181 - 20161102
This patch solves a vulnerability found in import (normal and my passwords) in which an attacker could create a remote code execution exploit. We’d like to thank James Ogden from Sky Betting and Gaming for reporting the vulnerability and Daniel Adams from the same company for helping coordinate the testing of the patch.
* IMPORTANT: this patch is only valid for Team Password Manager version 6.68.138. If you have an older version you’re encouraged to upgrade to 6.68.138 and apply this patch.
Specifically, this patch:
• Only allows files with .csv extension and validates the mime type.
• Checks the import process and doesn’t allow the process to continue if there are format errors (deleting the import file).
• Integrates the import log with the log of the software (before a log file was created). The import log can also be downloaded.
• Deletes the import file afterwards.
• Allows the import folder to be configured in config.php
, so that it can be placed outside of webroot. Copy the following code to config.php
and uncomment and set the define
to your desired path (you don’t need to do anything if you want to use the default path):
// Import folder (where imported files are uploaded). You can set it in two ways: // 1. With an absolute path. Example: /var/www/domain/import/ // 2. With a relative path (relative to index.php). Example: ./import/ // Must be accessible and writable by the web server // Define with or without trailing slash // Defaults to ./import/, uncomment the following line to change this default value:
// define(‘IMPORT_FOLDER’ , ‘./import/’);
How to install the patch: unzip the patch file and upload the files in the folders to the server, wmm
folder, replacing the current ones:
wmm/config/mimes.php wmm/controllers/settings.php wmm/controllers/mysettings wmm/models/m_pwd.php wmm/models/m_mypwd.php wmm/views/settings/v_import_upload.php wmm/views/settings/v_import_result.php wmm/views/mysettings/v_import_upload.php wmm/views/mysettings/v_import_result.php
Download patch 6.68.138.181 (MD5 Hash: bf9cb8d3e31d831696048b17f1719612)
6.68.138 - 20160226
- Multiple LDAP servers.
- LDAP timeout.
- Proxy settings for the version checker.
- Inactive users do not take up a license.
- Modal screen to select the manager in project and password security.
- Integrate patch 6.63.136.81 (security issue).
Patch 6.63.136.81 - 20160111
This patch corrects a privilege escalation vulnerability when editing the user or user information. Thanks to Holly Grace from Sec-1 Ltd (@HollyGraceful) for reporting this vulnerability.
* IMPORTANT: It’s only valid for Team Password Manager v. 6.63.136. Users with lower versions are encouraged to upgrade to v. 6.63.136 before applying the patch.
To install: copy user_info.php and users.php to wmm/controllers, replacing the existing ones.
Download patch 6.63.136.81 (MD5 Hash: 64d20ce1b43b63b3b861056a7364ac3d)
6.63.136 - 20151217
- New subproject: “Inherit from parent” by default (grant all users).
- API only user.
- Edit notes only button in passwords.
- LDAP import: option to save configuration data to the database.
- LDAP import: debug mode.
- Copy to clipboard: also in access, username, email, notes and all data of the password.
- Copy to clipboard: default JS/HTML5.
- Copy to clipboard: new COPY_TO_CLIPBOARD option to set technology or disable.
- Disable personal passwords (option in config.php: ALLOW_PERSONAL_PASSWORDS).
- Do not close editing modals by clicking outside of them.
- Search includes tags by default.
- Search matches words in string regardless of position.
- Auto select Root for new projects.
- Bug in editing my account, user account and group: if the username or group was incorrect, the error message could allow XSS and iframe injection.
- Project selector (new pwd/new prj): placeholder text in “Filter tree” input box so that the input box is not confused with the name of the new password or project.
- Form autocomplete off in login, 2fa and reset pwd forms.
- Edit file notes larger area.
- Link to LDAP auth doc in website from settings.
- Help text in protocol version in LDAP settings.
- Note for FreeBSD in install.txt.
- Location of config.php in settings overview.
- Visual bug: remove the “encrypted” icon in access, username and email in Edit My Password.
- Note in export that locked passwords are not exported.
- Bug: corrected custom fields notes beginning with url (not shown correctly).
- Bug: API projects.edit_security and passwords.edit_security maintained current permissions on users/groups not specified (patch 6.56.118.20150922).
Patch 6.56.118.20150922 - 20150922
This patch corrects API v4 permission assignment in projects (PUT /projects/ID/security.json) and passwords (PUT /passwords/ID/security.json) where users/groups kept their previous permission if they weren’t assigned any permission, instead of deleting their permissions (thus setting them to “Not set”).
* IMPORTANT: It’s only valid for Team Password Manager v. 6.56.118.
To install copy api_prj.php and api_pwd.php to wmm/controllers/api_v4, replacing the current ones.
Download patch 6.56.118.20150922
6.56.118 - 20150828
- Subprojects (or project hierarchy).
- New permissions system.
- External sharing of passwords.
- Full screen, Passwords+Projects section merged into one (Home), tree instead of tabs, ajax.
- Moved the locked icon to the right, next to the favorite icon.
- Linkify files notes.
- New event: "View file".
- Bug: corrected bug that did that some characters were replaced by equal sign (=) in notification emails.
- LDAP: allow to import more than 1000 users in one batch.
- LDAP: set DN field length to 255 in entry fields (test, user, etc.). Check that users with long DN’s can be imported and that they can sign in. Internally there is no limit.
- Bug: API: show a password for users with role “Read only” returned an internal error (Patch 4.50.100.20150625).
- Bug: API: when an LDAP user listed projects, only the first 5 where listed (Patch 4.50.100.20150701).
- API: new API v4, v3 deprecated and v1/v2 disabled. See the API changelog.
- New parameter in config: SUBPROJECT_NAME_SINGULAR/SUBPROJECT_NAME_PLURAL.
- Location of the config.php file is shown in Settings | Encrypt DB Config screen.
- Automatic blocking notification email appeared with strange characters, and also made it HTML.
- In install/upgrade, if PHP >= 5.6, checks that always_populate_raw_post_data=-1.
- Log creation of imported projects and passwords (individually for each project and password).
- Log export of passwords (individually for each password).
- Export: locked passwords are only exported the name and project name.
- Import: select a parent project.
- New parameter in config: ALLOW_EXPORT/ALLOW_IMPORT.
Patch 4.50.100.20150701 - 20150701
This patch fixes:
- API (v2/v3): Internal Server Error when users with role “Read only” show a password.
- API (general): listing projects by LDAP users returns only the first 5.
* IMPORTANT: this patch is only valid for version 4.50.100. If you have a lower version, first upgrade to 4.50.100 and then apply this patch.
How to apply:
- Unzip the patch file (4.50.100.20150701.zip).
- Copy controllers/api_v2/api_pwd.php from the unzipped file to wmm/controllers/api_v2 in your installation (replacing the file).
- Copy controllers/api_v3/api_pwd.php from the unzipped file to wmm/controllers/api_v3 in your installation (replacing the file).
- Copy models/m_ldap.php from the unzipped file to wmm/models in your installation (replacing the file).
Download patch 4.50.100.20150701
4.50.100 - 20150315
- Search also done on access, username and e-mail fields of passwords and "my passwords".
- Advanced search operators for passwords and “my passwords” and advanced search form. Advanced search help.
- Additional logs: to syslog or file.
- API v3:
- GET /version.json => get version, release date and api version.
- GET /version/check_latest.json => get version, release date and api version and checks latest version, returning it (returns 200 if ok). If the version can’t be checked, ‘’ is returned. This request can only be made by IT or admin users.
- GET /users/me.json => get information about the user making the call.
- GET /passwords/ID.json => additional returned field that indicates what permission has the current user on the password: “user_permission” can be read/manage.
- GET /projects/ID.json => additional returned field that indicates what permission has the current user on the project: “user_permission” can be read/manage.
- GET /projects/ID.json => additional returned field that indicates if the user can create passwords on the project: “user_can_create_passwords” (true/false).
- API access to My Passwords.
- Export/import My Passwords, with help.
- Delete all my passwords.
- Export didn’t show custom3 title and didn’t export \ correctly (as \\).
- When showing a password, set font to courier. This is done to better differentiate characters, specially i/1/l, if copying to the clipboard isn’t possible (because where the password is to be entered won’t admit pasting, or because entering it on a different computer).
- Applied patches 4.47.94.20141215 and 4.47.94.20150206.
- If the session has finished and the user clicks on show or copy to clipboard, the sign in screen appears ok, not overlaid on the current page.
- Lots of minor improvements.
Patch 4.47.94.20150206 - 20150206
This patch fixes incorrect encoding of numeric strings as numbers in API responses.
* IMPORTANT: this patch is only valid for version 4.47.94. If you have a lower version, first upgrade to 4.47.94 and then apply this patch.
How to apply: Replace the MY_Controller.php file in the following folder: wmm/core.
Download patch 4.47.94.20150206
Patch 4.47.94.20141215 - 20141215
This patch corrects incorrect removal of some control characters when entering data.
* IMPORTANT: this patch is only valid for version 4.47.94. If you have a lower version, first upgrade to 4.47.94 and then apply this patch.
How to apply: Replace the Input.php file in the following folder: system/core.
Download patch 4.47.94.20141215
4.47.94 - 20141203
- PHP 5.6 compatibility.
- Search passwords inside project.
- Setting in config.php to control the number of items in lists: NUM_ITEMS_LISTS.
- The sorting field in lists is maintained between sessions (for each user).
- 2FA verification has now a 1 minute margin by default.
- Parameter in config.php to set the number of 30 second windows of margin for 2FA verification: NUM_2FA_WINDOWS.
- Handle https connections from load balancers/proxies automatically if using SSL Termination (if detecting header “X-Forwarded-Proto: https” or header “Front-End-Https: on”).
- Parameter in config.php to set a base url: TPM_BASE_URL.
- Allow one user with role Admin/IT to be exempt from 2FA enforcement.
- Bug: if the QR code cannot be generated (due to GD not installed), show a message instead of a broken image (or nothing).
- Bugs (visual) in group / user management when the user is an IT user.
- Bug in import: in some cases the project name and password name was imported blank.
- Other minor bugs and changes.
4.41.83 - 20141030
- Global custom field templates. Global default template.
- Project custom field templates.
- New option in config.php to be able to replace the words “project/projects” with other terms on all the screens. Example: "category/categories".
- Password expiration, with email notifications.
- Password locking (enter reason to unlock), with email notifications.
- API v2 to support password expiration and locking.
- Automatically add a link in http/https URLs in notes fields (in passwords and projects).
- Support (validate) email addresses with new TLDs (Example: [email protected])
- When creating new passwords with the new password button, show intermediate screen to select project. This screen is not shown when creating passwords from a project.
- Add “New password after saving” checkbox next to the Save button when adding a password.
- Copy/move my password to a project.
- JS code to prevent double form submissions.
- Bug: without JS enabled: error with tags when creating a project.
- Avoid "open_basedir restriction in effect. File(/dev/urandom) is not within the allowed path(s)" error when installing/upgrading or creating users.
- Bug: in My Account | 2FA tab, the QR code was incorrect.
- Show Account Name when enabling 2FA and in the 2FA tab in "My Account".
- Favicon with higher resolution.
- Bug: in tags filter inside project (didn’t show passwords when a password tag being filtered was deleted).
- Workaround so that Chrome in windows doesn’t automatically (and incorrectly) fill in the password fields when editing passwords, when its option to save passwords is enabled.
- Bug in API v1 (also corrected in API v2): did not check email custom fields for a valid email address.
- Bug in file uploads: if no file was provided and in some cases where the file size was greater than the maximum, the upload button remained hidden.
- Small square bullet icon in filter labels in password and project lists.
4.32.68 - 20140724
- New: API V1.
- Username: removed 6 chars minimum limitation.
- When deleting a password offer to return to the project of the password (in addition to the passwords list).
- Remove autocomplete=off from username/password in login screens so that some browsers can store the password.
- Bug: could assign a read only user as password manager (although this user could do nothing).
- Bug: update password updated_by/on when editing password security.
- Check if mysqli extension is installed (at login, install and upgrade).
- Upgrade: username or email label depending on which version is upgrading (< 3.32.60 => email, >= 3.32.60 username).
- New obfuscation option to remove some warnings in the PHP log.
- Other minor bugs and changes.
3.32.60 - 20140604
- Responsive.
- Users have now a Username and sign in with the username instead of email. Also, this field is case insensitive (before, the email was case sensitive). Usernames are also imported when doing an LDAP import. Note: LDAP import now does NOT convert email addresses to lowercase (because email is not used to login and username (if email is used) is case insensitive).
- Users have now tabs that list the passwords and projects that they have access to.
- Ask for the user’s password for editing "My account".
- Automatic IP Blocking notifications: allow also IT users (before only admin users were allowed to receive notifications).
- Email settings: hide password, new setting "Use SMTP User as the email sender".
- A new setting in config.php so that it labels the “Copy to clipboard” icon for screenreaders to read: define('ZEROCLIPBOARD’, TRUE);
- Users with IT role can only “Edit/Delete” and “Add/Delete users to/from a Group” for groups that they belong to. When creating groups they’re automatically assigned to them. IT users cannot delete themselves from groups.
- In config.php: configuration for non-standard ports. Ex: define('CONFIG_PORT’, 3307);
- Bug: in security lists (pwd, prj) if two users had the same name, only one would appear.
- Bug in My Account log pagination: it didn’t show the correct page.
- Other minor bugs and changes.
2.25.45 - 20140408
- Duplicate passwords.
- Encrypt DB configuration in config.php.
- Quick access to “My Passwords” from the menu, moved help to the footer, “My Account” is now accessed clicking on the user name.
- Custom CSS for the sign in screen. See the define CUSTOM_SIGNIN_CSS in config.php.
- Custom fields in passwords (up to 10).
- Labels when editing a password (Basic data, custom fields, notes) and bigger notes field.
- Notes icon instead of “Notes:” in the passwords/mypasswords list, also a direct link to the notes tab.
- Password history.
- Short timeout for the version checker.
- The access and custom text fields are made clickable if a URI scheme is detected (and not only http:// or https://).
- Copy password also copies files now.
- Now can run on PHP 5.5.
Patch 2.18.35.1 - 20140210
This patch corrects a bug that didn’t allow LDAP admin users to upgrade the software.
Do not apply it if you’re not using LDAP or if you’ve already upgraded to 2.18.35.
I’ts only valid for version 2.18.35.
How to apply: copy m_install.php to wmm/models overwriting the current m_install.php file.
Download patch 2.18.35.1
Download a current version of the software
2.18.35 - 20140203
- Timeout and autologout (if js is active).
- Tags search (passwords and projects) - only if js is active.
- Project managers can now assign their own projects to other managers, or can create projects for other managers (Managed by field when editing).
- The password manager (or owner) can be changed.
- Changed default security to “Grant access to this project to the following users and/or groups.” when creating a new project.
- Grant access to users/groups (that don’t have access to a project) to passwords directly.
- Version checker.
- New role: IT: project manager with access to users/groups (except admins), log and settings.
- New log action: “Password shown” (Show password or Copy password to clipboard): unified action for filtering the log to see who’s viewed passwords.
- Personal passwords.
- Settings screens: tabs at the left to allow for more options
- Bug: Email send test: correct message display when error.
2.12.30 - 20140115
- Changes in password reset:
- Made it more secure.
- Bug: do not allow password reset for inactive users.
- Bug: do not allow password reset if LDAP user (should be done in the LDAP server).
- If the user has 2FA enabled, ask for the code and not disable 2FA.
- Changes in the licenses screen.
- Trial licenses.
2.11.25 - 20131224
- Query optimization.
- Minor cosmetic bug: when viewing security in passwords/projects (the granted via column sometimes repeated values).
2.11.24 - 20131216
- New feature: LDAP authentication. See Doc: LDAP / AD Authentication.
- Changes when adding/editing a password:
- Enhancement: when adding/editing a password: show/hide password (hidden by default), generate not required to delete when new, repeat password.
- Bug: Show password event is logged when editing a password.
- Enhancement: in the log, “View password” action changed to "View password data".
- Bug: use mbstring functions in some cases where accents/special chars were not displayed correctly.
- Bug: when importing, do not allow import of passwords into archived projects.
- Bug: without Javascript activated, clicking “Show” didn’t log "Show password".
- Enhancement: without Javascript activated “Hide” button after clicking "Show".
- Many minor bugs corrected.
- Better error handling.
2.9.18 - 20131123
- New feature: files in passwords and projects.
- New feature: password tags in project for filtering inside the project.
- Enhancement: add a link to the user screen in the log (if the logged in user is admin).
- Bug: if a user is deactivated, his/her session is now disabled if he/she is logged in.
- Security bug: could copy passwords even after the session expired.
- Bug: sometimes the clipboard icon didn’t show and also produced an annoying flickering.
- Bug: include password to the last 5 passwords viewed when copying it to the clipboard.
2.7.13 - 20131104
Minor bug: database error when creating projects with MySQL 5.6+.
2.7.12 - 20130924
Bugs release (in user passwords, password generator incorrectly showed some symbols, minor spelling).
2.7.11 - 20130916
- New feature: IP detection if behind a reverse proxy (download and see the config.php file)
- New feature: IP address blocking at the “Sign In” screen. Manual and Automatic.
- New feature: optionally enforce Two-Factor authentication on all users.
- New feature: email field in password.
- New feature: strong passwords generator.
- New feature: hide password (after clicking “Show”), and changed the color of the “Show” link.
- New feature: copy password to clipboard (you need to have Flash installed to be able to use this feature).
- New feature: Namespaces in sessions, which allow to access different instances of TPM in the same server with the same browser.
- Bug: strings with special characters didn’t display correctly in some cases.
- Bug: some events were not logged: setting/unsetting favorite, email test sent, email configuration changed.
- Bug: error when filtering by tags that contained a slash (in passwords and projects).
- Bug: in label (password instead of project): when deleting a password it said that the "project has been deleted".
- Bug: in help (export/import) documentation: “Projects created by the import process will have ‘Grant access to this project to the following users and/or groups.’ as their security setting (and no user or group checked).” INSTEAD OF “Projects created by the import process will have ‘All users have access to this project’ as their security setting.”
- Internal change: do not use persistent db connections and use mysqli instead of mysql.
- Change: force edge versions in IE because compatibility view generated problems.
2.0.1 - 20130601
Major upgrade:
- New UI.
- Tags for passwords and projects.
- Favorite passwords and projects.
- Groups of users (and give access to them in projects).
- Two-factor authentication with Google Authenticator.
- Bcrypt hashing of users’ passwords.
- Logging (of every action).
1.7.0 - 20121231
- Export/import password entries.
- Create password entries editing policy.
- Copy/move passwords entries between projects.
- Last accessed label on projects and passwords (on the sidebar).
- Bigger search box.
- Sort projects (and archived projects) by name, creation date or manager.
- Show the number of projects in projects lists.
- Small boxes in pagination links.
- Show the number of password entries in password entries lists.
- Enter key when creating users.
- Improved encryption and sessions.
1.2.0 - 20110905
- 2 users for the FREE VERSION.
- Upgrade system.
1.1.1 - 20110829
- Minor modifications (logo on Sign in screen, some labels).
- Project security for only 1 user (everyone has access to the project, or only its manager and admins).
1.1.0 - 20110807
Name change: from WebmasterMGR to Team Password Manager.
1.0.8 - 20110630
First version available to public.