Enabling local data loading may allow attackers to read server files

Severity	Exploitability	Providers	Categories
HIGH	LOW	Google Cloud Provider	DATA

Description

Enabling 'local_infile' in the MySQL server configuration allows the LOAD DATA statement to use local files.

Anyone able to perform SQL requests on the server could read the content of files on the server by providing the file name to the statement.

Impact

Potential data exposure	Visible in logs	User interaction required	Privileges required
True	False	False	False

In case of an existing SQL injection vulnerability, the attacker would be able to read any file on the server.

Remediation guidelines

Disable the local_infile MySQL setting.

References

• Understanding the 'LOAD DATA' statement
• Security Considerations for LOAD DATA LOCAL
• More details on the vulnerability (authored by David Busby for Percona)

Was this page helpful?