Control Web Panel

WebPanel => MySQL => Topic started by: anandmys on April 04, 2025, 11:15:57 AM

Title: mySQL user
Post by: anandmys on April 04, 2025, 11:15:57 AM

Hi

When i login to phpmyadmin using any user, I am able to see all databases, tables and data of other users as well.

What might be wrong?

Title: Re: mySQL user
Post by: cyberspace on April 04, 2025, 04:15:40 PM

Hi,

It could happen if you accessed phpMyAdmin as "root" then opened the user level control panel and opened phpMyAdmin.

Log out from phpMyAdmin (it isn't enough to just close the phpmyadmin in the browser) and then try to access phpmyadmin as a regular user.

Title: Re: mySQL user
Post by: anandmys on April 05, 2025, 11:58:12 AM

Did that. Even used a different browser.

Title: Re: mySQL user
Post by: overseer on April 05, 2025, 03:31:50 PM

Definitely not how my server behaves. I login to the /pma link as a user account with their password and I can only see the DB that the user owns, not the extent of the full server-wide DB.

When under a user control panel, you go to the Databases > phpMyAdmin link:
https://yourserver.tld:2083/cwp_SESSIONID/username/?module=pma
should forward you to:
https://yourserver.tld:2087/pma/index.php?route=/&route=%2F

Is that what you see happening? And what if you directly load PMA?
https://yourserver.tld:2087/pma/
Do you get a login screen where you can login as a user?

Title: Re: mySQL user
Post by: anandmys on April 12, 2025, 08:05:00 AM

Yes. This is happening as you mentioned.

But when I login with a db user at https://yourserver.tld:2087/pma/, I am getting access to all other users DBs

Quote from: overseer on April 05, 2025, 03:31:50 PM

Definitely not how my server behaves. I login to the /pma link as a user account with their password and I can only see the DB that the user owns, not the extent of the full server-wide DB.

When under a user control panel, you go to the Databases > phpMyAdmin link:
https://yourserver.tld:2083/cwp_SESSIONID/username/?module=pma
should forward you to:
https://yourserver.tld:2087/pma/index.php?route=/&route=%2F

Is that what you see happening? And what if you directly load PMA?
https://yourserver.tld:2087/pma/
Do you get a login screen where you can login as a user?

Title: Re: mySQL user
Post by: anandmys on April 17, 2025, 12:29:45 PM

Got answer from here

https://forum.centos-webpanel.com/centos-webpanel-bugs/users-can-see-all-phpmyadmin-user-database-how-to-prevent-it/msg51069/#msg51069

Deleting user "Any" resolved the issue. Not sure if I have created any other issue due to this.

As of now all good.

Title: Re: mySQL user
Post by: overseer on April 17, 2025, 12:41:14 PM

Perhaps that came from a cPanel migration? I don't have an "any" user on any of my servers...

Title: Re: mySQL user
Post by: anandmys on April 17, 2025, 12:51:34 PM

Quote from: overseer on April 17, 2025, 12:41:14 PM

Perhaps that came from a cPanel migration? I don't have an "any" user on any of my servers...

Surprised to see that

Hope not a malware / hacking issue

Title: Re: mySQL user
Post by: overseer on April 21, 2025, 01:28:51 PM

As a matter of course on a new server, run

Code: [Select]

/usr/bin/mariadb-secure-installationMake sure the default test DB is removed to close up these types of potential security holes.

Title: Re: mySQL user
Post by: ffontana on May 20, 2025, 07:31:58 AM

I have removed the Any user and run /usr/bin/mariadb-secure-installation and my users can still see and access all the databases from all the other users. This is a serious security risk, how do I fix it?