Insecure Defaults - Exploiting LOAD DATA LOCAL INFILE

Although it is documented that the default binary distributions of MySQL/MariaDB/Percona all seem to be compiled with allow local infile enabled, the warning is misleading: The transfer of the file from the client host to the server host is initiated by the MySQL server. In theory, a patched server could be built that would tell the client program to transfer a file of the server's choosing rather than the file named by the client in the LOAD DATA statement. Such a server could access any file on the…

Keep reading

Node.JS Request Smuggling

The Node HTTP Client checks for invalid characters such as new lines that can be used to perform HTTP Smuggling attacks, however, the rules for the path option are quite relaxed. By combining the fact that we can inject new lines and tabs in the path, we can force multiple arbitrary HTTP requests to made. This only works if the target HTTP server has a relaxed HTTP parser that allows tabs instead of spaces (for example, Apache). This was tested in node version v0.12-v6.20 (stable) and should work…

Keep reading