From: jason
Date: May 30 2000 10:17pm
Subject: RE: serious bug allows anyone access to database as root
List-Archive: http://lists.mysql.com/bugs/166
Message-Id: <NCBBKNJBDLLNOGINHKCHKEKOJHAB.jason@squirrelgroup.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>I'm using mysql 3.22.32 on Linux 2.2.14 kernel, and I believe that 
>I've found a major problem.
>
>If, at the command line, I type 
>
>  $ mysql -u root -p
>
>I get a password prompt, just like I should.  However, if I type
>
>  $ mysql -u root-p
>
>without the space after the "root," it lets me right in.  I can do
>this as any user, and I can repeat it over and over.  This seems to be
>a serious vulnerability.  

I'm unable to repeat on

  mysql  Ver 9.37 Distrib 3.22.29, for sun-solaris2.5.1 (sparc)

and on

  mysql  Ver 9.38 Distrib 3.22.32, for Win95/Win98 (i586)

on both I get what I'd expect

  ERROR 1045: Access denied for user: 'root-p@localhost' (Using
password: NO)

- -- 
  jason - elephant@stripped -

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>

iQA/AwUBOTTKkDYpBpopJvWUEQJkgACeLLTmzdVtow0Hmd4pIVm2CEo/TacAoKPW
E/OMqUoBxXOe261u4B3dNNkp
=qPP+
-----END PGP SIGNATURE-----