Bug #27800 Security problem mysql -u root-p
Submitted: 13 Apr 2007 3:50 Modified: 13 May 2007 7:23
Reporter: Joe Amaral Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:mysql Ver 14.7 Distrib 4.1.20, for redh OS:Any
Assigned to: CPU Architecture:Any
Tags: for redhat-linux-gnu (i686) using readline 4.3, mysql Ver 14.7 Distrib 4.1.20

[13 Apr 2007 3:50] Joe Amaral 
Description:
Even when a password is set putting a -p right after the username allows you in:

mysql -u root-p 

Will let you right in

How to repeat:
Make sure you have a username with a password and then don't put a space after the username and then add the -p. You get in even if you have assigned a password.
[13 Apr 2007 3:56] Paul DuBois 
In this case, you are attempting to connect as the
user named "root-p" (the "-p" is interpreted as
part of the username, not as a separate password).
If you have an anonymous account with no password,
the server likely is authenticating you as that user.

To find out, connect as you have described, and then
issue these queries:

SHOW GRANTS;
SELECT CURRENT_USER();

If the output shows that the username is blank (''),
then you have connected as the anonymous user
that has no password. In that case, if you delete
that account, the issue you have described should
go away.
[13 May 2007 23:02] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".