Edgewall Software

Opened 8 years ago

Closed 8 years ago

Last modified 8 years ago

#11803 closed defect (cantfix)

New user created anonymously

Reported by: tracbug.anonuserissue@… Owned by:
Priority: normal Milestone:
Component: admin/web Version: 1.0.1
Severity: normal Keywords:
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:


I administer a system running a private installation of Trac 1.0.1. Last night I opened firewalls to allow a company Nessus scan. Nessus was able to create a new Trac user.

2014-11-01 02:40:43,407 Trac[main] DEBUG: Dispatching <RequestWithSession "POST '/register'">
2014-11-01 02:40:43,408 Trac[session] DEBUG: Retrieving session for ID 'd1e15c57faf4f33fabad61c9'
2014-11-01 02:40:43,409 Trac[main] DEBUG: Negotiated locale: None -> None
2014-11-01 02:40:43,410 Trac[api] WARNING: Unable to find repository '(default)' for synchronization
2014-11-01 02:40:43,439 Trac[perm] DEBUG: No policy allowed anonymous performing ACCTMGR_USER_ADMIN on None
2014-11-01 02:40:43,441 Trac[api] INFO: Created new user: 12345

Is this a configuration issue, or native vulnerability?

Trac   1.0.1
CentOS 6.6
Python 2.6.6
Apache 2.2.15

System Information

Package	Version
Trac 	1.0.1
Trac 	1.0.1
Babel 	0.9.4 (translations unavailable)
Genshi 	0.7 (without speedups)
mod_python 	3.3.1
pysqlite 	2.4.1
Python 	2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)]
Python 	2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)]
setuptools 	0.6
setuptools 	0.6
SQLite 	3.6.20
Subversion 	1.6.11 (r934486)
jQuery	1.7.2

Attachments (0)

Change History (2)

comment:1 by Jun Omae, 8 years ago

Priority: highnormal
Resolution: cantfix
Status: newclosed

PluginIssue (th:AccountManagerPlugin). Trac core doesn't have user management feature.

comment:2 by Jun Omae, 8 years ago

Also, that's not a defect. Any one can register a new user by the /register link which the plugin provides. If you don't want, you must disable RegistrationModule. See th:wiki:AccountManagerPlugin/RegistrationInspector.

Modify Ticket

Change Properties
Set your email in Preferences
as closed The ticket will remain with no owner.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from (none) to the specified user.

Add Comment

E-mail address and name can be saved in the Preferences .
Note: See TracTickets for help on using tickets.