Results 1 to 6 of 6

Thread: uknown test database for all MySQL accounts in phpMyAdmin

  1. #1
    Join Date
    Jul 2013
    Location
    Mashhad, Iran
    Posts
    103

    uknown test database for all MySQL accounts in phpMyAdmin

    Hey guys.
    From some days ago, an unknown database named "test" have been appeared in all MySQL accounts on my server inside phpMyAdmin. Each user is seeing this database! What's the matter? Is this a hacking issue or is it a bug?

  2. #2
    Join Date
    May 2008
    Posts
    741
    No, it's normal. Usually this is a shared database where users can "test" things. Like a temp database. Of course they should NOT upload confidential data there. It's shared.

    If you don't like it, you can drop it.

  3. #3
    Join Date
    Jul 2013
    Location
    Mashhad, Iran
    Posts
    103
    Quote Originally Posted by wattie View Post
    No, it's normal. Usually this is a shared database where users can "test" things. Like a temp database. Of course they should NOT upload confidential data there. It's shared.

    If you don't like it, you can drop it.
    I don't think so. These databases did not exist before. All users had only their created databases when they would open phpMyAdmin. But now, all customers are seeing this new database too.

  4. #4
    Join Date
    May 2008
    Posts
    741
    You probably had it dropped before and recently updated MySQL/MariaDB.

    I already have that database. And I always had it - even on fresh install. It's not a security issue (unless a particular user intentionally share private data in this database).

    If you don't like it, you can drop it.

    testdb.png

  5. #5
    Join Date
    Jun 2015
    Posts
    2
    The problem is due to default privileges granted by MySQL to test databases:

    https://dev.mysql.com/doc/refman/5.5...rivileges.html

    Securing Test Databases
    By default, the mysql.db table contains rows that permit access by any user to the test database and other databases with names that start with test_. (These rows have an empty User column value, which for access-checking purposes matches any user name.) This means that such databases can be used even by accounts that otherwise possess no privileges. If you want to remove any-user access to test databases, do so as follows:
    By default every MySQL user is able to create databases with the name test or any name starting with test_ and every user can manipulate the content of these databases.

    To drop these privileges you can run these command on your MySQL server via root MySQL user:

    HTML Code:
    DELETE FROM mysql.db WHERE Db LIKE 'test\\\_%' OR Db LIKE 'test';
    
    FLUSH PRIVILEGES;
    It's a security risk for DirectAdmin servers and I think it should automatically fixed by Custombuild after installing/upgrading MySQL server

  6. #6
    Join Date
    May 2008
    Posts
    741
    This is not a security risk for anyone. Every developer knows what the "test database" in MySQL/MariaDB is.

    Yes, if they put sensitive information in that database, this exposes that information as a security risk FOR THEM. But it is the same as let's say they publish their username and password in a question on StackOverflow. Yeah, they shouldn't do that and it's a security risk for them for sure. But hey, nobody is that stupid, right?

    Good luck in preventing all users from doing all stupid things that their mind can create. You can't.

    Therefore the test database is a feature, not a risk. If you don't like it, drop it - it's simple.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •