4.4 Harden Usage for 'local_infile' on MySQL Clients

Information

The local_infile parameter dictates whether files located on the MySQL client's computer can be loaded or selected via LOAD DATA INFILE or SELECT local_file.

Rationale:

Disabling local_infile reduces an attacker's ability to read sensitive files off the affected server via an SQL injection vulnerability.

Impact:

Disabling local_infile will impact the functionality of solutions that rely on it.

Solution

Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:

local_infile=OFF

Default Value:

ON

See Also

https://workbench.cisecurity.org/files/3844

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|4.7

Plugin: MySQLDB

Control ID: 38d45639242382d5813ece4f17377912faa2dd09b342f8a9f13aa0e16c007e87