Bug #1825 using % host names
Submitted: 12 Nov 2003 23:20 Modified: 13 Nov 2003 8:10
Reporter: carl mcdade Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:all OS:Windows (windows)
Assigned to: CPU Architecture:Any

[12 Nov 2003 23:20] carl mcdade 
Description:
It is the roaming % setting. All dBs with % are open to those users that have this and use MySQLCC. This is a bug because the user and password are ignored. remove the default % from all but one db and you get just one login for one db. 

The problem now is that I need 25 roaming users(dynamic ip users). If I use % (any ip address) to make them then they all will have access to each others dbs. This is a big bug in the security system. 

This is present in all versions of MySQL 3.2.2 and up and so has nothing to do with Alpha software.

How to repeat:
Use MySQLCC create new dbs and one user using % as host name. This user will have select create and alter permissions to all databases using % as their host name. The default hostname % is used when creating new dbs

Suggested fix:
The database should check for the user and password regardless if the % is used. This allows multiple remote users  in the field using dynamic ip addresses to login to just their db.

remove % as the default host name when  creating dbs.
[13 Nov 2003 8:10] Dean Ellis 
This would appear to be the fault of the anonymous logins for localhost.  As the MySQL manual mentions, the Windows distribution grants global privileges to the anonymous login for localhost.

Remove the anonymous logins for localhost and see if the issue persists.

Thank you.