Patrick Domingues

MySQL has released a security statement providing the following information:

The LOAD DATA statement can load a file located on the server host, or, if the LOCAL keyword is specified, on the client host.

There are two potential security issues with the LOCALversion of LOAD DATA:

• The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server’s choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the client host to which the client user has read access. (A patched server could in fact reply with a file-transfer request to any statement, not just LOAD DATA LOCAL, so a more fundamental issue is that clients should not connect to untrusted servers.)
• In a Web environment where the clients are connecting from a Web server, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to (assuming that a user could run any statement against the SQL server). In this environment, the client with respect to the MySQL server actually is the Web server, not a remote program being run by users who connect to the Web server.

To avoid LOAD DATA issues, clients should avoid using LOCAL. To avoid connecting to untrusted servers, clients can establish a secure connection and verify the server identity by connecting using the --ssl-mode=VERIFY_IDENTITY option and the appropriate CA certificate.

More Details can be found at MySQL

• Fixing WebView2 Issues on ARM64: Why Outlook and Teams Keep Breaking (and How to Fix Them)
• How to Enable Auto Recording & Transcription in Microsoft Teams and Assign Meeting Policies to All Users
• How to Install SentinelOne on Ubuntu 24.04
• How to Completely Remove SentinelOne from Ubuntu 24.04
• PowerShell Script to Force Uninstall Umbrella Roaming Client

Patrick Domingues

See Full Bio