An attacker could run a malicious MySQL server and gain access to the connected data, as reported in a security message
MySQL administrators have posted a security
alert informing users about a drawback with LOCAL LOAD DATA, noting that “the
declaration can load a file located on the server host or, if the local keyword
is specified, in the client host”, as network security and ethical hacking
specialists from the International Institute of Cyber Security reported.
This flaw exists in the file-transfer
interaction between a client host and a MySQL
server, as reported by network
security specialists. Exploiting this attack would allow a malicious
actor to steal sensitive information from a poorly configured web server by
allowing connections to unreliable servers or from applications to manage
databases.
According to the security alert, there are two
main drawbacks. “Transferring the file from the client host to the server host
is started by the MySQL server. In theory, a patched server could be built that
would instruct the client program to transfer a file from the server choice
instead of the client-named file in the LOAD DATA declaration. This server
could access any file on the client host to which the client user has read
access.
In a post published on his blog on January 20,
the network security expert Willem de Groot responded to the affirmation of the
security notice that this failure could be exploited “in theory”, pointing out
that “a malicious MySQL server that is capable of doing that can be found on
GitHub, and it’s probably been used to leak passwords from the hacked sites.
This could be leveraged to steal SSH keys, online cryptocurrency wallets, among
other malicious activities”.
“Although this may not seem serious, as few
users are really deceived to connect to malicious MySQL servers, there are many
web servers with vulnerable database management interfaces, allowing for
initiated connections from the side of the attacker to arbitrary servers”, says
Craig Young, an analyst at a network security firm.
“Website administrators should know that these
pages, even when they are not linked to other content, can be discovered and
exploited by attackers. Management tools such as admin must not be left unprotected
under any circumstances”.
