Any mysql database you can access from any account

MakeHosting

• October 12, 2019 01:55

Anybody has this problem? I see that on my cpanel any person now can create any database name (before it was cpanelusername used as prefix then _ then db name). The problem is that if person enters anything, they can then see any other person database or manage it or access it or delete it in their cpanel account. SO if you enter for DB name something like test... ANY other database that contains test in its name that user will have access to.

• 

  GOT

  • October 14, 2019 13:49

  Have you actually replicated this? I get that you may think this would be the case logically, however, that is generally not the case. It is possible for any account to access any other account database if they have a valid user/pass combo for that database, they are not segmented that way but you should not be able to see them in the cPanel interface or in the cPanel phpmyadmin.

  0
• 

  cPanelLauren

  • October 14, 2019 20:04

  Can you please provide step by step replication steps for this @MakeHosting so that I can attempt to check this on a test system?

  0
• 

  MakeHosting

  • October 16, 2019 07:49

  Go to Tweak settings If this option i set to NO Require a username prefix on names of new databases and database users GO to ANY cpanel account and type any other DB name other than yours that appears in any other cpanel user. It will list you all DB names from ANY user that contains the string you entered.

  0
• 

  MakeHosting

  • October 16, 2019 07:50

  I got confirmation by email that this IS the case. It is attached to change log: CPANEL-29191

  0

Please sign in to leave a comment.