Bug #71882 Use the linux client and typ the option -u twice.
Submitted: 28 Feb 2014 15:04 Modified: 17 Jun 2014 12:09
Reporter: Julien BRUNOT Email Updates:
Status: Not a Bug Impact on me:
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.5.36 OS:Linux (Linux ubuntu-dev 3.8.0-34-generic #49-Ubuntu SMP Tue Nov 12 18:00:10 UTC 2013 x86_64 x86_64 x86_64 G)
Assigned to: CPU Architecture:Any
Tags: security vulnerabilty mysqlclient linux

[28 Feb 2014 15:04] Julien BRUNOT
Under linux, using the client 'mysql', it's possible to connect to mysql without any user or password.

It's very simple with the command :
mysql -usomething -uother

you can see the database information_schema and make select.

It's not possible to alterate data.

How to repeat:
by typing the command like mysql -usomething -uother

Suggested fix:
don't allow multiple -u option, and fix why a double can bypass the password
[10 Mar 2014 6:29] MySQL Verification Team
Hello Julien,

Thank you for the report.
This is normally observed when post installation you don't remove those accounts which are for anonymous users. These have an empty user name. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server.  See for more details https://dev.mysql.com/doc/refman/5.6/en/default-privileges.html

You can check if the instance has anonymous accounts using:

SELECT User, Host, Password FROM mysql.user;

After removing those anonymous accounts, reload the grant table and report us if you are still able to connect.

[10 Mar 2014 9:02] Julien BRUNOT
Thank a lot.

It's work.

But, I think that it is not normal that the script accepts twice the "u" option without raising of error.