. home.aspx

NEWS

home.aspx
   


Servers Grab Client Files via MySQL Design Flaw

January 22, 2019 / Kacy Zurkus

Attackers can potentially run a malicious MySQL server and gain access to connected data, according to a new security alert. MySQL has issued a security notice resulting from issues with the LOAD DATA LOCAL, noting that the “statement can load a file located on the server host, or, if the LOCAL keyword is specified, on the client host.” The design flaw exists in the file transfer interaction between a client host and a MySQL server, according to BleepingComputer. Leveraging this attack would allow a malicious actor to steal sensitive information from a web server that is not properly configured either by enabling connections to untrusted servers or from database management applications. According to the security notice, there are two potential security concerns. “The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the serve...