Context Navigation

Modify ↓

#11803 closed defect (cantfix)

New user created anonymously

Reported by:	tracbug.anonuserissue@…	Owned by:
Priority:	normal	Milestone:
Component:	admin/web	Version:	1.0.1
Severity:	normal	Keywords:
Cc:		Branch:
Release Notes:
API Changes:
Internal Changes:

Description

I administer a system running a private installation of Trac 1.0.1. Last night I opened firewalls to allow a company Nessus scan. Nessus was able to create a new Trac user.

2014-11-01 02:40:43,407 Trac[main] DEBUG: Dispatching <RequestWithSession "POST '/register'">
2014-11-01 02:40:43,408 Trac[session] DEBUG: Retrieving session for ID 'd1e15c57faf4f33fabad61c9'
2014-11-01 02:40:43,409 Trac[main] DEBUG: Negotiated locale: None -> None
2014-11-01 02:40:43,410 Trac[api] WARNING: Unable to find repository '(default)' for synchronization
2014-11-01 02:40:43,439 Trac[perm] DEBUG: No policy allowed anonymous performing ACCTMGR_USER_ADMIN on None
2014-11-01 02:40:43,441 Trac[api] INFO: Created new user: 12345

Is this a configuration issue, or native vulnerability?

Trac   1.0.1
CentOS 6.6
Python 2.6.6
Apache 2.2.15

System Information

Package	Version
Trac 	1.0.1
Trac 	1.0.1
Babel 	0.9.4 (translations unavailable)
Genshi 	0.7 (without speedups)
mod_python 	3.3.1
pysqlite 	2.4.1
Python 	2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)]
Python 	2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)]
setuptools 	0.6
setuptools 	0.6
SQLite 	3.6.20
Subversion 	1.6.11 (r934486)
jQuery	1.7.2

Attachments (0)

Change History (2)

comment:1 by Jun Omae, 9 years ago

Priority:	high → normal
Resolution:	→ cantfix
Status:	new → closed

PluginIssue (th:AccountManagerPlugin). Trac core doesn't have user management feature.

comment:2 by Jun Omae, 9 years ago

Also, that's not a defect. Any one can register a new user by the /register link which the plugin provides. If you don't want, you must disable RegistrationModule. See th:wiki:AccountManagerPlugin/RegistrationInspector.

Modify Ticket

Change Properties

Summary:
Description:	I administer a system running a private installation of Trac 1.0.1. Last night I opened firewalls to allow a company Nessus scan. Nessus was able to create a new Trac user. {{{ 2014-11-01 02:40:43,407 Trac[main] DEBUG: Dispatching <RequestWithSession "POST '/register'"> 2014-11-01 02:40:43,408 Trac[session] DEBUG: Retrieving session for ID 'd1e15c57faf4f33fabad61c9' 2014-11-01 02:40:43,409 Trac[main] DEBUG: Negotiated locale: None -> None 2014-11-01 02:40:43,410 Trac[api] WARNING: Unable to find repository '(default)' for synchronization 2014-11-01 02:40:43,439 Trac[perm] DEBUG: No policy allowed anonymous performing ACCTMGR_USER_ADMIN on None 2014-11-01 02:40:43,441 Trac[api] INFO: Created new user: 12345 }}} Is this a configuration issue, or native vulnerability? {{{ Trac 1.0.1 CentOS 6.6 Python 2.6.6 Apache 2.2.15 }}} '''System Information''' {{{ Package Version Trac 1.0.1 Trac 1.0.1 Babel 0.9.4 (translations unavailable) Genshi 0.7 (without speedups) mod_python 3.3.1 pysqlite 2.4.1 Python 2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] Python 2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] setuptools 0.6 setuptools 0.6 SQLite 3.6.20 Subversion 1.6.11 (r934486) jQuery 1.7.2 }}} You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The ticket will remain with no owner.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from (none) to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: