Opened 10 years ago
Closed 10 years ago
#12047 closed defect (invalid)
New user created anonymously
Reported by: | Owned by: | Steffen Hoffmann | |
---|---|---|---|
Priority: | high | Component: | AccountManagerPlugin |
Severity: | normal | Keywords: | registration |
Cc: | Ryan J Ollos | Trac Release: |
Description
I administer a system running a private installation of Trac 1.0.1. Last night I opened firewalls to allow a company Nessus scan. Nessus was able to create a new Trac user.
2014-11-01 02:40:43,407 Trac[main] DEBUG: Dispatching <RequestWithSession "POST '/register'"> 2014-11-01 02:40:43,408 Trac[session] DEBUG: Retrieving session for ID 'd1e15c57faf4f33fabad61c9' 2014-11-01 02:40:43,409 Trac[main] DEBUG: Negotiated locale: None -> None 2014-11-01 02:40:43,410 Trac[api] WARNING: Unable to find repository '(default)' for synchronization 2014-11-01 02:40:43,439 Trac[perm] DEBUG: No policy allowed anonymous performing ACCTMGR_USER_ADMIN on None 2014-11-01 02:40:43,441 Trac[api] INFO: Created new user: 12345
Is this a configuration issue, or native vulnerability?
Trac 1.0.1 AccountManager 0.4.3 CentOS 6.6 Python 2.6.6 Apache 2.2.15
System Information
Package Version Trac 1.0.1 Trac 1.0.1 Babel 0.9.4 (translations unavailable) Genshi 0.7 (without speedups) mod_python 3.3.1 pysqlite 2.4.1 Python 2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] Python 2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] setuptools 0.6 setuptools 0.6 SQLite 3.6.20 Subversion 1.6.11 (r934486) jQuery 1.7.2
Installed Plugins
TracAccountManager 0.4.3 /usr/lib/python2.6/site-packages/TracAccountManager-0.4.3-py2.6.egg
Attachments (0)
Change History (4)
comment:1 Changed 10 years ago by
comment:2 Changed 10 years ago by
Cc: | Ryan J Ollos added; anonymous removed |
---|
comment:3 follow-up: 4 Changed 10 years ago by
The question was also asked in trac:#11803 and Jun suggested just disabling the RegistrationModule if you don't want to allow users to create accounts.
comment:4 Changed 10 years ago by
Keywords: | registration added |
---|---|
Resolution: | → invalid |
Status: | new → closed |
Replying to rjollos:
The question was also asked in trac:#11803 and Jun suggested just disabling the RegistrationModule if you don't want to allow users to create accounts.
Thanks for the reference. Because Jun obviously agrees to my own conclusion, keeping up the reported bug claim against this plugin cannot hold any longer. The reported behavior is correct for a system with enabled user registration (RegistrationModule
).
Hint: The reporter should rather use our trac-user mailing-list or IRC to get additional support on local installation and/or configuration issues.
I fail to see the reason for your complaint. What did you expect? And what are the values sent by Nessus here?
Registration is done from an anonymous session. That's the purpose of the user (self-)registration process in contrast to administrative user account creation through admin web-UI.
Speaking of security maybe you should update AccountManager to v0.4.4, and make sure to unleash full power of modular registration by configuring more than bare defaults for the available checks. Configuration page 4 of
trunk
version (0.5dev) would even allow you to see details of what checks are enabled, their purpose and configuration.