weird msql security issues

4 posts / 0 new
Last post
#1 Wed, 08/27/2014 - 11:09
drguild

weird msql security issues

Something weird has happened on my server.

I use a selection of sites and users both top level and consolidated internal sites.

I have just setup a external site for someone to help me on something and I put phpmyadmin on a subserver of it for him to use as he will need database access.

Here's the scary thing of my internal test databases on another user and password is visible when logged in as this guys mysql user.

Other databases luckily aren't accessible to that user.

I don't know why it is so.

Here is proof passwords etc are blocked out.

I have wordpress on user webmaster my internal site system and in the wordpress config is this:

The database for this is 'test' as it was my first test on stuff.

// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'test');   /** MySQL database username */ define('DB_USER', 'webmaster');   /** MySQL database password */ define('DB_PASSWORD',

Edited at password to not show it.

Now I have another user I just setup this time david on a separate top level vhost

But look at this in is database list in PhpMyAdmin he has this edited the database names of his database.

Expand/CollapseDatabase operationscoo Expand/CollapseDatabase operationsib_david Expand/CollapseDatabase operationspma_david Expand/Collapsetest Expand/CollapseDatabase operationstest Expand/CollapseDatabase operationstest_server

He has access to the test database from user webmaster which uses a different username and password.

He can read the data.

Edit Edit Copy Copy Delete Delete 1 1 Mr WordPress https://wordpress.org/ 2014-08-14 09:44:58 2014-08-14 09:44:58 Hi, this is a comment. To delete a comment, just l... 0 1 0 0

He can also edit the database.

1 row affected. UPDATE `test`.`wp_comments` SET `comment_content` = 'Hi, this is a comment. To delete a comment, just log in and view the post's comments. There you will have the option to edit or delete them. Trolled I have access to your database fool' WHERE `wp_comments`.`comment_ID` = 1;

Why did this happen 2 separate users passwords and databases yet somehow a new user can see and edit a database from another user.

Luckily it isn't every database on the server and all other databases under that user can't be accessed.

I dunno if a plugin into wordpress made that database accessible like this.

Wed, 08/27/2014 - 14:02
drguild

I worked out the issue to this. It's because the database is called test or test_ which is a mysql internal thing.

By doing so the database is automatically granted to everyone in the system and on virtualmin, any user just needs to create database starting with test_ and everyone on the entire hosting platform gets access to it in there database list by default.

Also any user can user in virtualmin can use the default mysql test database on the hosting platform by just referencing it as the database and there mysql admin password as I managed to use it with my webmaster account accidentally.

https://blogs.oracle.com/jsmyth/entry/the_test_database

Oracle recommend securing the main mysql database and removing the test account etc using a command.

I'm sure this was just overlooked when programming virtualmin not to secure the mysql test environment automatically on install as most installs would have this vulnerability like I did.

I have run the command in SSH: 'mysql_secure_installation' to secure my installation as recommended and hope virtualmin automatically makes these recommended changes in the future for other installs.

By running the command listed in the paragraph above, test_ databases can still be created automatically in virtualmin and are still accessible by users but are now locked to that user instead of open to everyone.

Tue, 11/10/2015 - 20:37
Francewhoa
Francewhoa's picture

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community

Tue, 09/11/2018 - 22:19
Francewhoa
Francewhoa's picture

For those using MariaDB, it is the same command mysql_secure_installation

Source and documentation at https://mariadb.com/kb/en/library/mysql_secure_installation/

- - -
Senior Product Manager, and Co-Founder at Ubertus.org Inc.
Love back your Virtualmin & Webmin community