Huge Security Hole in MySQL or What??

Anon

This can't be correct!: I am virtually hosted (static IP) with a host that provides MySQL and PHP4. Great!, I though. Then I just managed, quite unintentionally, to discover the "root" passowrd, and I successfully logged in with it through phpMyAdmin. I have access to ALL of the databases owned by the various virtually-hosted subscribers to our host (this is nearly a hundred databases.) Not only can I see them, but I can do anything to them!!!!!----I'm logged in as "root." Of course, I didn't do anything malicious.
But what the *?!@#? Is MySQL security really this bad on virtually hosted sites or did my root host screw up? And toboot, I found the password in a file sitting on my own virtual domain.

Does this seem right? If so, is it possible to install my OWN MySQL in my virtual directory (say, in the root directory above /www/) that other people can't access like this?

Any comments would be very helpful...

--P.S.

brandonschnell

I'd switch to a different host. if thats standard practice at the host most likely other users have figured out the password as well.

i'd chalk that up to someone forgetting to remove the password after setting up the account or to piss poor security. if they're truely that clueless i'd wonder what else they're cutting corners on.

Anon

This is just plain stupidity, not a MySQL vulnerability. I mean, really, a root password is a root password. Of course it gives you access to all databases. How else would you propose it to work?

The hosting company just slipped up, in some inexplicable way. (a file on your directory?). But, in general, MySQL itself has a very good fine-grained security model that can easily keep one user out of another user's database, and much more.

If I were you, I would be wary of trusting the host, but it might just have been a stupid slip-up, rather than a bad security policy in general. Probably, if you just explain the problem, and demand that they create a new root password for MySQL, everything will be fine. (Don't tell them you logged in with that password, though--these days, there is too much hysteria about "hackers". Just say you found it, and it made you wonder...)

Anon

THX for your replies....

I gave my host several days to sort it out... I had to explain the problem to them in-depth...they're clueless. After several days of troubletickets that they kept saying were complete, I kept looking into my config.inc.php file at the new password they created.

They're latest fix: deny me access to the directory www/phpMyAdmin. And the URL is "Forbidden" taboot.

My host, whom I've been with for four years is a BIG hosting provider based in Texas that posts tens of millions in earning and hundreds of thousands of customers.

Before I post they're name, I'll clear my gear and find a new spot. I have a list of directories (about 1300) on the host's root so can mass-mail warnings to others there.

Mr. CEO of the company who is exhalted in press releases shall hear about this.

Can anyone reccomend a good MySQL/PHP4 host? I value security and service and I'm willing to pay for the best.

Thanx again!

brandonschnell

i'm convinced that if security is important to you the only choices is dedicated hosting or finding a smalling host where PHP is their only business.

It seems most companies setup LAMP just to say they offer it, but without understanding how Linux/Apache/Mysql/PHP works.

Anon

Thx for the input...If I find a good host I'll post it.