id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,branch,changelog,apichanges,internalchanges 11803,New user created anonymously,tracbug.anonuserissue@…,,"I administer a system running a private installation of Trac 1.0.1. Last night I opened firewalls to allow a company Nessus scan. Nessus was able to create a new Trac user. {{{ 2014-11-01 02:40:43,407 Trac[main] DEBUG: Dispatching 2014-11-01 02:40:43,408 Trac[session] DEBUG: Retrieving session for ID 'd1e15c57faf4f33fabad61c9' 2014-11-01 02:40:43,409 Trac[main] DEBUG: Negotiated locale: None -> None 2014-11-01 02:40:43,410 Trac[api] WARNING: Unable to find repository '(default)' for synchronization 2014-11-01 02:40:43,439 Trac[perm] DEBUG: No policy allowed anonymous performing ACCTMGR_USER_ADMIN on None 2014-11-01 02:40:43,441 Trac[api] INFO: Created new user: 12345 }}} Is this a configuration issue, or native vulnerability? {{{ Trac 1.0.1 CentOS 6.6 Python 2.6.6 Apache 2.2.15 }}} '''System Information''' {{{ Package Version Trac 1.0.1 Trac 1.0.1 Babel 0.9.4 (translations unavailable) Genshi 0.7 (without speedups) mod_python 3.3.1 pysqlite 2.4.1 Python 2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] Python 2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] setuptools 0.6 setuptools 0.6 SQLite 3.6.20 Subversion 1.6.11 (r934486) jQuery 1.7.2 }}} ",defect,closed,normal,,admin/web,1.0.1,normal,cantfix,,,,,,