Description:
It is possible to create new "zombie" databases without any privileges for the user in combination with one existing.

Schema would be that the user itself has no privileges.
Only the usual privileges are set for the access to one database.
The name from the database must have a "_" within itself.
(For example 'test_base')

If then this user connects to the mysqlserver in any way without a specific database he could use the following command to create the new database:

CREATE DATABASE IF NOT EXISTS `test[ANY SINGLE CHARACTER AT THIS POINT]base`; 

Here it seems that mysql would interpret this "_" as a wildcard.
But this only happens with the '`' in this command.

All those new databases are accessable and could be used like a normal one.
But there are no entries in the mysql.db or mysql.user table for this one.

The only way to see this DBs are the files on the disk.

How to repeat:
Create a new database:
CREATE DATABASE `test_base`;

Add the user:
GRANT ALL ON test_base.* TO test1 IDENTIFIED BY  'test';

Login as user:
mysql -u test1 -ptest

Create the new DB as you like:
create database if not exists `test,base`;
create database if not exists `test=base`;
create database if not exists `testxbase`;
create database if not exists `test?base`;
create database if not exists `test*base`;

Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/, namely http://dev.mysql.com/doc/refman/5.0/en/grant.html:

"Note: the ‘_’ and ‘%’ wildcards are allowed when specifying database names in GRANT  statements that grant privileges at the global or database levels. This means, for example, that if you want to use a ‘_’ character as part of a database name, you should specify it as ‘\_’ in the GRANT statement, to prevent the user from being able to access additional databases matching the wildcard pattern; for example, GRANT ... ON `foo\_bar`.* TO ...."