ISPsystem.com Forums - View Single Post

paketschubser · 09-02-2012, 02:07 PM

Hello,

one of our customers tried the following setup:

He created two customer users (user1, user2) each with his own MySQL database (db1, db2). Each database has it's own user with the same name as the database. To simplify the access for the server administrator he created another user called admin and gave him access to both databases. So far everything works fine, the problem is that both users (user1 and user2) are now allowed to change the password of the admin user so that they are able to gain access to other databases by taking over the admin account.

09-02-2012, 02:07 PM	#1
paketschubser Junior Member Join Date: Oct 2011 Posts: 25	security bug in database user handling Hello, one of our customers tried the following setup: He created two customer users (user1, user2) each with his own MySQL database (db1, db2). Each database has it's own user with the same name as the database. To simplify the access for the server administrator he created another user called admin and gave him access to both databases. So far everything works fine, the problem is that both users (user1 and user2) are now allowed to change the password of the admin user so that they are able to gain access to other databases by taking over the admin account.