Security Issues With LOAD DATA LOCAL – MySQL Security

The LOAD DATA statement can load a file that is located on the server host, or it can load a file that is located on the client host when the LOCAL keyword is specified.

There are two potential security issues with supporting the LOCAL version of LOAD DATA statements:

  • The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access.
  • In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to (assuming that a user could run any command against the SQL server). In this environment, the client with respect to the MySQL server actually is the Web server, not the remote program being run by the user who connects to the Web server.

How to deal with these problems?

  • By default, all MySQL clients and libraries in binary distributions are compiled with the –enablelocal-infile option.
  • If you build MySQL from source but do not invoke configure with the –enable-local-infile option, LOAD DATA LOCAL cannot be used by any client unless it is written explicitly to invoke mysql_options.
  • You can disable all LOAD DATA LOCAL statements from the server side by starting mysqld with the –local-infile=0 option.
  • For the mysql command-line client, enable LOAD DATA LOCAL by specifying the –localinfile[=1] option, or disable it with the –local-infile=0 option. For mysqlimport, local data file loading is off by default; enable it with the –local or -L option. In any case, successful use of a local load operation requires that the server permits it.
  • If you use LOAD DATA LOCAL in Perl scripts or other programs that read the [client] group from option files, you can add the local-infile=1 option to that group. However, to keep this from causing problems for programs that do not understand local-infile, specify it using the loose- prefix as follows:

[client]
loose-local-infile=1

  • If LOAD DATA LOCAL is disabled, either in the server or the client, a client that attempts to issue such a statement receives the following error message.

ERROR 1148: The used command is not allowed with this MySQL version

 

Related Posts

  • 48
    Applications that access MySQL should not trust any data entered by users, who can try to trick your code by entering special or escaped character sequences in Web forms, URLs, or whatever application you have built. Be sure that your application remains secure if a user enters something like “;…
    Tags: mysql, data, user, server, database, security, client
  • 45
    What is database? Database is an organized collection of information about an entity having controlled redundancy and serves multiple applications. DBMS (database management system) is an application software that is developed to create and manipulate the data in database. A query language can easily access a data in a database.…
    Tags: database, data, client, server, mysql
  • 44
    MySQL stores accounts in the user table of the mysql system database. An account is defined in terms of a user name and the client host or hosts from which the user can connect to the server. The account may also have a password. There are several distinctions between the…
    Tags: mysql, user, server, security
  • 40
    90% of the time, this error is due either to the MySQL Server not running, or else firewall configuration on the Windows server blocking access on port 3306 (or whatever port your MySQL instance is configured to use). Error: 2003 (CR_CONN_HOST_ERROR) Message: Can't connect to MySQL server on '%s' (%d)
    Tags: mysql, server, error
  • 39
    I tried the following steps: Log in as super user or use sudo Open /etc/mysql/my.cnf using gedit Check the all the configuration Find bind-address, and change its value to the database server host machine's IP address. For me, it was localhost or 127.0.0.1 Save and close the file. Come back…
    Tags: mysql, server, database, host, file, local, error, user

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: