Mysql and phpMyadmin security concern

stevenvsi · July 22, 2013, 11:19pm

Hi,

I have been testing Virtualmin along other automation tool such as ISPConfig in order to handle shared hosting offering.

Bravo, very good overall!

I just tumble upon what looks like a major security issue with the subject’s components.
Here is the issue:

a) I created 3 virtual servers with their own domains
b) one of them required concrete5 CMS so while installing it I created a dba user with the proper permissions as well as phpMyadmin with the script installer
c) I’ve logged into the db created with ohoMyadmin and the dba user (not without access problems - I had to change the password many times)

Now to my surprise I realize that all databases are visible and manageable by default!

This is a major security flaw, isn’t it? Look like all virtual servers’ users have full permissions on all databases (all fields have Y in the main databases priviledges table)

What have I done wrong, I used 99% of the default settings?

Regards,

stevenvsi · July 22, 2013, 11:46pm

Hi all,

I fixed my permissions and now its ok, just the initial login that did not work.
Now the user cannot see anything outside the virtual server.

I am not sure why it did not work (could not login) without changing permissions from within webmin (as root) I will test on future accounts.

Regards,

Eric · July 23, 2013, 3:07am

Howdy,

Yeah, you definitely shouldn’t be able to see other databases from an unrelated account.

If you continue to see that in your future testing, let us know what distro/version you have.

Also, note that some Linux distributions make it so that databases beginning with the name “test” are visible to all users. I’m not quite sure why they do that, but if your databases start with “test”, that could explain it.

-Eric