Bug #5821 User can create databases without permissions
Submitted: 30 Sep 2004 11:04 Modified: 30 Sep 2004 12:31
Reporter: Isaac Saldana Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.0.20,4.0.21 OS:Tested on Linux 2.4.27
Assigned to: CPU Architecture:Any

[30 Sep 2004 11:04] Isaac Saldana 
Description:
When a user has access to a database and such database name has an underscore (_), he can create databases with similar names even without any permissions.  The way to do it is by having the same database name and substituting the underscore with a character such as ? or *.

How to repeat:
[root@atlhosting]# mysql -p -u atl -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2371 to server version: 4.0.20

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+-------------+
| Database    |
+-------------+
| atlbugs_db  |
| atlchat_db  |
| atlcode_db  |
| atlforum_db |
| atlusers_db |
+-------------+
5 rows in set (0.00 sec)

mysql> create database foobar;
ERROR 1044: Access denied for user: 'atl@localhost' to database 'foobar'
mysql> create database atlbugs?db;
ERROR 1064: You have an error in your SQL syntax.  Check the manual that corresponds to your MySQL server version for the right syntax to use near '?db' at line 1
mysql> create database `atlbugs?db`;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+-------------+
| Database    |
+-------------+
| atlbugs?db  |
| atlbugs_db  |
| atlchat_db  |
| atlcode_db  |
| atlforum_db |
| atlusers_db |
+-------------+
6 rows in set (0.00 sec)

mysql> create database `foobar`;
ERROR 1044: Access denied for user: 'atl@localhost' to database 'foobar'
mysql> create database `atlchat?db`;
Query OK, 1 row affected (0.00 sec)

mysql> create database `atlchat??db`;
ERROR 1044: Access denied for user: 'atl@localhost' to database 'atlchat??db'
mysql> create database `atlchat*db`;
Query OK, 1 row affected (0.00 sec)

mysql> show databases;
+-------------+
| Database    |
+-------------+
| atlbugs?db  |
| atlbugs_db  |
| atlchat*db  |
| atlchat?db  |
| atlchat_db  |
| atlcode_db  |
| atlforum_db |
| atlusers_db |
+-------------+
8 rows in set (0.00 sec)

mysql>
[30 Sep 2004 12:31] Paul DuBois 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.mysql.com/documentation/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

Additional info:

This occurs because _ and % are wildcard characters.
To avoid this behavior, precede the _ with a \
character when granting privileges with GRANT.

More information:

http://dev.mysql.com/doc/mysql/en/GRANT.html
[31 Jan 2005 23:39] Robert Hopson 
I recently started seeing this problem on a MySQL 4.0.20 server with many user accounts and databases; exactly as Isaac described, we have databases with underscores in the names, and the non-privileged users that couldn't otherwise create databases can create additional databases by not escaping the wildcards.

Doesn't the fact that an unprivileged user can create a database by not escaping the wildcards make this a semi-serious bug?