Modify

Opened 9 years ago

Closed 9 years ago

#12047 closed defect (invalid)

New user created anonymously

Reported by: tracbug.anonuserissue@… Owned by: Steffen Hoffmann
Priority: high Component: AccountManagerPlugin
Severity: normal Keywords: registration
Cc: Ryan J Ollos Trac Release:

Description

I administer a system running a private installation of Trac 1.0.1. Last night I opened firewalls to allow a company Nessus scan. Nessus was able to create a new Trac user.

2014-11-01 02:40:43,407 Trac[main] DEBUG: Dispatching <RequestWithSession "POST '/register'">
2014-11-01 02:40:43,408 Trac[session] DEBUG: Retrieving session for ID 'd1e15c57faf4f33fabad61c9'
2014-11-01 02:40:43,409 Trac[main] DEBUG: Negotiated locale: None -> None
2014-11-01 02:40:43,410 Trac[api] WARNING: Unable to find repository '(default)' for synchronization
2014-11-01 02:40:43,439 Trac[perm] DEBUG: No policy allowed anonymous performing ACCTMGR_USER_ADMIN on None
2014-11-01 02:40:43,441 Trac[api] INFO: Created new user: 12345

Is this a configuration issue, or native vulnerability?

Trac   1.0.1
AccountManager 0.4.3
CentOS 6.6
Python 2.6.6
Apache 2.2.15

System Information

Package	Version
Trac 	1.0.1
Trac 	1.0.1
Babel 	0.9.4 (translations unavailable)
Genshi 	0.7 (without speedups)
mod_python 	3.3.1
pysqlite 	2.4.1
Python 	2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)]
Python 	2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)]
setuptools 	0.6
setuptools 	0.6
SQLite 	3.6.20
Subversion 	1.6.11 (r934486)
jQuery	1.7.2

Installed Plugins

TracAccountManager 	0.4.3 	/usr/lib/python2.6/site-packages/TracAccountManager-0.4.3-py2.6.egg

Attachments (0)

Change History (4)

comment:1 Changed 9 years ago by Steffen Hoffmann

I fail to see the reason for your complaint. What did you expect? And what are the values sent by Nessus here?

Registration is done from an anonymous session. That's the purpose of the user (self-)registration process in contrast to administrative user account creation through admin web-UI.

Speaking of security maybe you should update AccountManager to v0.4.4, and make sure to unleash full power of modular registration by configuring more than bare defaults for the available checks. Configuration page 4 of trunk version (0.5dev) would even allow you to see details of what checks are enabled, their purpose and configuration.

comment:2 Changed 9 years ago by Steffen Hoffmann

Cc: Ryan J Ollos added; anonymous removed

comment:3 Changed 9 years ago by Ryan J Ollos

The question was also asked in trac:#11803 and Jun suggested just disabling the RegistrationModule if you don't want to allow users to create accounts.

comment:4 in reply to:  3 Changed 9 years ago by Steffen Hoffmann

Keywords: registration added
Resolution: invalid
Status: newclosed

Replying to rjollos:

The question was also asked in trac:#11803 and Jun suggested just disabling the RegistrationModule if you don't want to allow users to create accounts.

Thanks for the reference. Because Jun obviously agrees to my own conclusion, keeping up the reported bug claim against this plugin cannot hold any longer. The reported behavior is correct for a system with enabled user registration (RegistrationModule).

Hint: The reporter should rather use our trac-user mailing-list or IRC to get additional support on local installation and/or configuration issues.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Steffen Hoffmann.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.