Bug #1791 This bug allows user to create a 2nd database without the rights to do this
Submitted: 10 Nov 2003 1:16 Modified: 11 Nov 2003 0:29
Reporter: Marco Kaiser Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.0.15a OS:FreeBSD (FreeBSD / Linux)
Assigned to: CPU Architecture:Any

[10 Nov 2003 1:16] Marco Kaiser
Description:
If you have a Database with a "_" in the name like "test_db" its possible to create a 2nd database called "test?db".

How to repeat:
CREATE DATABASE test_db;

INSERT INTO `user` VALUES ('localhost', 'test', PASSWORD('test'), 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', '', '', '', '', 0, 0, 0);

INSERT INTO `db` VALUES ('localhost', 'test_db', 'test', 'Y', 'N', 'N', 'N', 'Y', 'N', 'N', 'N', 'N', 'N', 'N', 'N');

Create Database wetestthis; #Results in a error, we are not allowed to do this
Create Database `test?db`; #Results i a success. Its works and we have the rights for the 2nd DB.
[10 Nov 2003 9:44] Paul DuBois
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.mysql.com/documentation/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

The _ and % are wildcard characters in the Db column of the db table.
To specify a literal _ character, precede it with a backslash.

See:

http://www.mysql.com/doc/en/GRANT.html
[10 Nov 2003 10:41] Marco Kaiser
Sorry but thisis not a feature, i know the manual and Zak Greant told me to report this bug here. So lemme explain this bug again.

If i have a database with a _ in the name an a user with Select and create rights in the mysql.db table this user can create a 2nd DB.

I can give login/passwords for a example database if required.
[11 Nov 2003 0:29] Zak Greant
Hi Marco,

The user has the CREATE privilege for 'test_db'. They are allowed to create databases of the form 
'test{any single character here}db'.

This behavior is even mentioned in the manual. From http://www.mysql.com/doc/en/GRANT.html:

"Please note: the `_' and `%' wildcards are allowed when specifying database names in GRANT 
commands. This means that if you wish to use for instance a `_' character as part of a database 
name, you should specify it as `\_' in the GRANT command, to prevent the user from being able to 
access additional databases matching the wildcard pattern, for example, GRANT ... ON 
`foo\_bar`.* TO ...."

Cheers!
--zak