4.4 Ensure 'local_infile' Is Disabled

Information

The local_infile parameter dictates whether files located on the MySQL client's computer can be loaded or selected via LOAD DATA INFILE or SELECT local_file.

Rationale:

Disabling local_infile reduces an attacker's ability to read sensitive files off the affected server via an SQL injection vulnerability.

Impact:

Disabling local_infile will impact the functionality of solutions that rely on it.

Solution

Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:

local_infile=OFF

Default Value:

ON

See Also

https://workbench.cisecurity.org/files/3848

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|4.7

Plugin: MySQLDB

Control ID: 603b3bf246c1a08e581afb77c857f919c717033854051ab3cff4cb87ac35cf53