4.4 Harden Usage for 'local_infile' on MySQL Clients

Information

The local_infile parameter dictates whether files located on the MySQL client's computer can be loaded or selected via LOAD DATA INFILE or SELECT local_file.

Rationale:

Disabling local_infile reduces an attacker's ability to read sensitive files off the affected server via an SQL injection vulnerability.

Impact:

Disabling local_infile will impact the functionality of solutions that rely on it.

Solution

Add the following line to the [mysqld] section of the MySQL configuration file and restart the MySQL service:

local-infile=OFF

Default Value:

ON

See Also

https://workbench.cisecurity.org/files/3855

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|4.7

Plugin: MySQLDB

Control ID: 411cb290556a5193fc4646abc356e51f29f236a3182024999f21ea4e2123656d