uknown test database for all MySQL accounts in phpMyAdmin

mbsmt

Verified User
Joined
Jul 24, 2013
Messages
175
Location
Mashhad, Iran
Hey guys.
From some days ago, an unknown database named "test" have been appeared in all MySQL accounts on my server inside phpMyAdmin. Each user is seeing this database! What's the matter? Is this a hacking issue or is it a bug?
 
No, it's normal. Usually this is a shared database where users can "test" things. Like a temp database. Of course they should NOT upload confidential data there. It's shared.

If you don't like it, you can drop it.
 
No, it's normal. Usually this is a shared database where users can "test" things. Like a temp database. Of course they should NOT upload confidential data there. It's shared.

If you don't like it, you can drop it.

I don't think so. These databases did not exist before. All users had only their created databases when they would open phpMyAdmin. But now, all customers are seeing this new database too.
 
You probably had it dropped before and recently updated MySQL/MariaDB.

I already have that database. And I always had it - even on fresh install. It's not a security issue (unless a particular user intentionally share private data in this database).

If you don't like it, you can drop it.

testdb.png
 
The problem is due to default privileges granted by MySQL to test databases:

https://dev.mysql.com/doc/refman/5.5/en/default-privileges.html

Securing Test Databases
By default, the mysql.db table contains rows that permit access by any user to the test database and other databases with names that start with test_. (These rows have an empty User column value, which for access-checking purposes matches any user name.) This means that such databases can be used even by accounts that otherwise possess no privileges. If you want to remove any-user access to test databases, do so as follows:

By default every MySQL user is able to create databases with the name test or any name starting with test_ and every user can manipulate the content of these databases.

To drop these privileges you can run these command on your MySQL server via root MySQL user:

HTML:
DELETE FROM mysql.db WHERE Db LIKE 'test\\\_%' OR Db LIKE 'test';

FLUSH PRIVILEGES;

It's a security risk for DirectAdmin servers and I think it should automatically fixed by Custombuild after installing/upgrading MySQL server
 
This is not a security risk for anyone. Every developer knows what the "test database" in MySQL/MariaDB is.

Yes, if they put sensitive information in that database, this exposes that information as a security risk FOR THEM. But it is the same as let's say they publish their username and password in a question on StackOverflow. Yeah, they shouldn't do that and it's a security risk for them for sure. But hey, nobody is that stupid, right?

Good luck in preventing all users from doing all stupid things that their mind can create. You can't.

Therefore the test database is a feature, not a risk. If you don't like it, drop it - it's simple.
 
Back
Top