ECB mode is only used for the internal keys. The database records are encrypted in CBC mode, and there is an integrity authenticator HMAC as well. However, the format was designed in the days when Mac-then-encrypt was considered proper. So the authentication HMAC is over the plaintext prior to encrypting.
Yes, @tehjh on Twitter pointed this out. The CBC code is in Util.cpp, _readcbc; it appears to be length-delimited instead of padded, so there's probably another error oracle in the decoding of the length/type block.
Also: in PWSfileV3.cpp, are they HMAC'ing the IV?
This is interesting; we might be able to make an exercise out of it.
http://sourceforge.net/p/passwordsafe/git-code/ci/333dd9f23a...
ECB mode is only used for the internal keys. The database records are encrypted in CBC mode, and there is an integrity authenticator HMAC as well. However, the format was designed in the days when Mac-then-encrypt was considered proper. So the authentication HMAC is over the plaintext prior to encrypting.