4.4 Ensure 'local_infile' Is Disabled

Information

The local_infile parameter dictates whether files located on the MySQL client's computer can be loaded or selected via LOAD DATA INFILE or SELECT local_file.

Rationale:

Disabling local_infile reduces an attacker's ability to read sensitive files off the affected server via an SQL injection vulnerability.

Impact:

Disabling local_infile will impact the functionality of solutions that rely on it.

Solution

Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:

local_infile=OFF

Default Value:

ON

See Also

https://workbench.cisecurity.org/files/3859

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|4.7

Plugin: MySQLDB

Control ID: 8c9bc4c0ec9168ee51f8be2975651bc23a2b73a91575bcc8900c3229607447c0