On Saturday, November 1, 2014 5:06:29 AM UTC-7, ams wrote: > > I administer a system running a private installation of Trac 1.0.1. Last > night I opened firewalls to allow a company Nessus scan. Nessus was able > to create a new Trac user. > > 2014-11-01 02:40:43,407 Trac[main] DEBUG: Dispatching <RequestWithSession > "POST '/register'"> > 2014-11-01 02:40:43,408 Trac[session] DEBUG: Retrieving session for ID > 'd1e15c57faf4f33fabad61c9' > 2014-11-01 02:40:43,409 Trac[main] DEBUG: Negotiated locale: None -> None > 2014-11-01 02:40:43,410 Trac[api] WARNING: Unable to find repository > '(default)' for synchronization > 2014-11-01 02:40:43,439 Trac[perm] DEBUG: *No policy allowed anonymous > performing ACCTMGR_USER_ADMIN on None* > 2014-11-01 02:40:43,441 Trac[api] INFO: *Created new user: 12345* > > Is this a configuration issue, or native vulnerability? >
For reference, solutions have been provided in: http://trac.edgewall.org/ticket/11803 http://trac-hacks.org/ticket/12047 -- You received this message because you are subscribed to the Google Groups "Trac Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/trac-users. For more options, visit https://groups.google.com/d/optout.
