I know that is probably a general MySQL question...but does anyone know off-hand which command or file I can direct my ISP to that will turn off listing and accessing other people's tables and databases. (I know that this has to be done at the root level of the server with sys admin permissions.) (I think that pugdog alluded to problems with virtual servers and database/table access in a Thread somewhere in the forums.)

I realized that through the MySQLMan script, I can see other databases and tables...I can also modify other people's tables and also create new databases (haven't tried deleting other databases and tables, but I betcha I can). I should NOT be able to do this. I do have my database and tables password protected, but if other people install and use MySQLMan, then they can screw up my database and also hack my Links SQL scripts (by viewing the User table and getting password and username info).

If this has been posted before...I apologize. The only related Thread I found was the one posted by Carol (JPDeni).

Thanks in advance. Any suggestions or tips would be greatly appreciated! (Yes, I did search the MySQL Manual documents and could not find any info that would assist my ISP with correcting this problem.)

Regards,

Eliot Lee

MySQLMan is only a web-based interface to Mysql. It follows the permissions set in the tables in the database "mysql" and does not let you do things that you are not expected to do. Therefore, if you can access other databases using MySQLMan then you should be able to access them in Mysql under command prompt with your username and password as well.

We are currently working on the next version of MySQLMan. We will add the option in such that MySQLMan will skip the login page and take you directly to the database specified in the config file. The next version will be released soon and we hope that you will find it more helpful to you. =)

Cheers,

--
Gossamer Threads, Inc.

Thanks for your response, Steven.

Like I said before...I know that is probably a general MySQL issue and I was wondering if anyone knows the exact documentation in the MySQL Manual that will help me communicate with my ISP that they have a major security leak in their MySQL server.

About by-passing the login...I don't really think that will be a solution since if you can see all the other databases via telnet (which I can BTW and I can also ALTER other people's tables, like they can most likely ALTER mine), then bypassing the login doesn't seem like it will solve this particular problem. But I am new to MySQL, so I could be wrong.

Regards,

Eliot Lee

Good grief! You should at most be able to see other people's databases, however on a normal setup, you shouldn't be able to see anyone else's tables, let alone alter/view any data or table structures.

Your isp should have a good read at the security section of mysql docs found on their site. At a minimum they should remove any anonymous access, and make sure every database has a unique login and password.

Hope that helps,

Alex

--
Gossamer Threads Inc.

Thanks, Alex....I will let my ISP know.

Thanks....I know that my ISP may not be that versed in MySQL because it took them three weeks to reset my MySQL password and give me a new one.

Regards,

Eliot Lee