HELP!! MySQL databases accessable to all users??

[gadgetsguy]

It was brought to my attention today, that all users on a shared host can access each other's MySQL databases ...

What the _______ is this all about? REALLY???

My client was able to take full control of other users' databases via phpmyadmin

Please tell me how do we fix this MASSIVE security breach?

Thanks
Tim

 

[gadgetsguy]

BTW .... I'm using DA version 1.39.1 on CentOS 5

thanks

 

[gadgetsguy]

I am sure I am not the only person who's concerned about this?

How is it possible, that Client A can truncate or delete any tables they wish from Client B's datbases??

 

[scsi]

Why dont you check your permissions table if you want to know why they can access other databases...this has nothing to do with directadmin at all.

 

[gadgetsguy]

My system admin is in the hospital currently ...

could you please tell me where I might find these permissions tables?

Thank you

 

[scsi]

Login to phpmyadmin as mysql admin user and go to privileges...then check the privileges of the user to see if they have a global privilege to any database or if they have a privilege to a specific database.

 

[gadgetsguy]

Please remind me again, what file I view to see the mySQL admin password?

EDIT: I've found it ..

 

[gadgetsguy]

OK .... permissions for all users seem to be ALL UNCHECKED?

why would this cause users to be able to edit each other's databases?

http://screencast.com/t/xSyOCaXzExnh

http://screencast.com/t/lruhGdpbA8

 

[zEitEr]

I did not see anything wrong, but maybe somebody will. Did you try to login with any not root (not da_admin) account and check, whether you really can get access to others' DBs?

 

[gadgetsguy]

one of my users had privileges for ANY user .....

It is now been fixed

thank you for your time guys!

 

[zEitEr]

The question is how did he get it? You might need to investigate it.