Something weird has happened on my server.
I use a selection of sites and users both top level and consolidated internal sites.
I have just setup a external site for someone to help me on something and I put phpmyadmin on a subserver of it for him to use as he will need database access.
Here's the scary thing of my internal test databases on another user and password is visible when logged in as this guys mysql user.
Other databases luckily aren't accessible to that user.
I don't know why it is so.
Here is proof passwords etc are blocked out.
I have wordpress on user webmaster my internal site system and in the wordpress config is this:
The database for this is 'test' as it was my first test on stuff.// ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define('DB_NAME', 'test'); /** MySQL database username */ define('DB_USER', 'webmaster'); /** MySQL database password */ define('DB_PASSWORD',
Edited at password to not show it.
Now I have another user I just setup this time david on a separate top level vhost
But look at this in is database list in PhpMyAdmin he has this edited the database names of his database.Expand/CollapseDatabase operationscoo Expand/CollapseDatabase operationsib_david Expand/CollapseDatabase operationspma_david Expand/Collapsetest Expand/CollapseDatabase operationstest Expand/CollapseDatabase operationstest_server
He has access to the test database from user webmaster which uses a different username and password.
He can read the data.Edit Edit Copy Copy Delete Delete 1 1 Mr WordPress https://wordpress.org/ 2014-08-14 09:44:58 2014-08-14 09:44:58 Hi, this is a comment. To delete a comment, just l... 0 1 0 0
He can also edit the database.1 row affected. UPDATE `test`.`wp_comments` SET `comment_content` = 'Hi, this is a comment. To delete a comment, just log in and view the post's comments. There you will have the option to edit or delete them. Trolled I have access to your database fool' WHERE `wp_comments`.`comment_ID` = 1;
Why did this happen 2 separate users passwords and databases yet somehow a new user can see and edit a database from another user.
Luckily it isn't every database on the server and all other databases under that user can't be accessed.
I dunno if a plugin into wordpress made that database accessible like this.