New user created anonymously

[tracbug.anonuserissue@…]

I administer a system running a private installation of Trac 1.0.1. Last night I opened firewalls to allow a company Nessus scan. Nessus was able to create a new Trac user.

2014-11-01 02:40:43,407 Trac[main] DEBUG: Dispatching <RequestWithSession "POST '/register'">
2014-11-01 02:40:43,408 Trac[session] DEBUG: Retrieving session for ID 'd1e15c57faf4f33fabad61c9'
2014-11-01 02:40:43,409 Trac[main] DEBUG: Negotiated locale: None -> None
2014-11-01 02:40:43,410 Trac[api] WARNING: Unable to find repository '(default)' for synchronization
2014-11-01 02:40:43,439 Trac[perm] DEBUG: No policy allowed anonymous performing ACCTMGR_USER_ADMIN on None
2014-11-01 02:40:43,441 Trac[api] INFO: Created new user: 12345

Is this a configuration issue, or native vulnerability?

Trac   1.0.1
AccountManager 0.4.3
CentOS 6.6
Python 2.6.6
Apache 2.2.15

System Information

Package	Version
Trac 	1.0.1
Trac 	1.0.1
Babel 	0.9.4 (translations unavailable)
Genshi 	0.7 (without speedups)
mod_python 	3.3.1
pysqlite 	2.4.1
Python 	2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)]
Python 	2.6.6 (r266:84292, Jan 22 2014, 09:42:36) [GCC 4.4.7 20120313 (Red Hat 4.4.7-4)]
setuptools 	0.6
setuptools 	0.6
SQLite 	3.6.20
Subversion 	1.6.11 (r934486)
jQuery	1.7.2

Installed Plugins

TracAccountManager 	0.4.3 	/usr/lib/python2.6/site-packages/TracAccountManager-0.4.3-py2.6.egg

[Steffen Hoffmann]

I fail to see the reason for your complaint. What did you expect? And what are the values sent by Nessus here?

Registration is done from an anonymous session. That's the purpose of the user (self-)registration process in contrast to administrative user account creation through admin web-UI.

Speaking of security maybe you should update AccountManager to v0.4.4, and make sure to unleash full power of modular registration by configuring more than bare defaults for the available checks. Configuration page 4 of trunk version (0.5dev) would even allow you to see details of what checks are enabled, their purpose and configuration.

[Ryan J Ollos]

The question was also asked in ​trac:#11803 and Jun suggested just disabling the RegistrationModule if you don't want to allow users to create accounts.

[Steffen Hoffmann]

Replying to rjollos:

The question was also asked in ​trac:#11803 and Jun suggested just disabling the RegistrationModule if you don't want to allow users to create accounts.

Thanks for the reference. Because Jun obviously agrees to my own conclusion, keeping up the reported bug claim against this plugin cannot hold any longer. The reported behavior is correct for a system with enabled user registration (RegistrationModule).

Hint: The reporter should rather use our trac-user ​mailing-list or IRC to get additional support on local installation and/or configuration issues.