2012
10.05

Today one of my client’s warned me, that he can access (and also create, modify, delete) an unknown database, which belongs to my other client. The problem was naming, because it was test_${domain}, and when I looked into privileges tab in phpMyAdmin it shows:

User 	|Host 	|Type 	                |Privileges
Any 	|% 	|wildcard: test\_% 	|SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, REFERENCES, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES 

The strange is, that you cannot delete this privilege, because there’s no such user in the database.

So, the only solution is, that you should not name a database “test_%”

No Comment.

Add Your Comment