MySQL Design Flaw Could Allow Malicious Servers to Steal Files
CYBER NEWS

MySQL Design Flaw Could Allow Malicious Servers to Steal Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...


A design flaw has been discovered in the file transfer interaction between a client host and a MySQL server. The bug allows threat actors operating a malicious MySQL server to obtain any data the connected client has read access to. In short, due to this design flaw, a malicious MySQL server can be deployed to steal files from clients.



The MySQL Design Flaw, Explained

More specifically, the issue lies with the LOAD DATA statement which is used with the LOCAL modifier. According to the MySQL documentation, this is considered a danger to security. It should be noted that the LOAD DATA statement can load a file located on the server, and in case the LOCAL keyword is used in the request, this is done on the client host.

Furthermore, the transfer of the file from the client host to the MySQL server host is initiated by the server. A client receives file-transfer requests from the MySQL server based on the information provided in the LOAD DATA statement. A malicious server may be able to send a LOAD DATA LOCAL statement to the client in order to obtain access to any file with read permission.

According to the official documentation of MySQL, “a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement.”

The documentation also says that “to avoid LOAD DATA issues, clients should avoid using LOCAL. To avoid connecting to untrusted servers, clients can establish a secure connection and verify the server identity by connecting using the –ssl-mode=VERIFY_IDENTITY option and the appropriate CA certificate.”

It should also be noted that the design flaw also affects web servers that connect to a MySQL server while acting as clients. In this case, a threat actor can trigger the flaw to steal information such as the /etc/passwd file.

Security researcher Willem de Groot believes that

According to Willem de Groot, in the last quarter, 1 out of 5 breached stores were infected (and cleaned) multiple times, some even up to 18 times.
Magecart hackers exploited the vulnerability to inject skimming code into vulnerable online shopping websites.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...