|
||||
|
IntroductionKeePass features a plugin framework. Plugins can provide additional functionality, like support of more file formats for import/export, network functionalities, backup features, etc. Online ResourcesPlugins can be found on the Plugins page. Installation and UninstallationIf there are no explicit instructions how to install the plugin, follow these steps:
To uninstall a plugin, delete the plugin files. Linux: Portability: SecurityPlugins must be stored in the 'Plugins' folder of the KeePass application directory. An attacker who can copy a malicious plugin into this folder could typically also replace the 'KeePass.exe' file by malware. As protection against such attacks, an appropriate file system access control list (ACL) should be used (for the whole KeePass application directory, including the 'Plugins' folder); administrator privileges should be required for write access.
DLL vs. PLGX: By default, the user has write access in the PLGX plugin cache directory (without administrator privileges). This is not a security vulnerability. Let us assume that an attacker has write access in the plugin cache directory and the goal is code execution. The plugin cache folder is typically located in the user's profile directory and has the same ACL, i.e. the attacker has write access in the user's profile directory. With this, there are many ways to execute malware (a few examples can be found here: 'Write Access to Configuration File'). Stand-alone malware can also be specialized on attacking KeePass (see 'Specialized Spyware'); it does not need to be a plugin for this. Furthermore, an anti-virus software scans all files containing executable code (EXE, DLL, ...); a malware is either detected or not, independent of where in the user's profile directory it is stored. If you worry about this anyway, consider to adjust the ACL of the PLGX plugin cache directory to require administrator privileges for write access. Note though that this may result in some plugins not working properly anymore (those that assume to have write access in the plugin cache directory), and the KeePass option 'Delete old files from cache automatically' also may not work anymore. In the case of a dual package (DLL and PLGX in the same folder), KeePass loads the DLL file (and ignores the PLGX file), if possible. CachePLGX plugins (not DLL plugins) are compiled and stored in a plugin cache directory on the user's system. This cache improves the startup performance of KeePass. Old files are normally deleted from the cache automatically (this can be disabled in the plugins dialog). The cache does not contain any user data. By default, the plugin cache is located in the user's local application data
directory ( Do not relocate the plugin cache into the 'Plugins' folder of the KeePass application directory, because this can result in a severe performance degradation. |
|
||