Neuron MySQLSelectTool Read-Only Bypass Vulnerability Allowing Arbitrary File Write

A vulnerability exists in Neuron versions 2.8.11 and earlier within the MySQLSelectTool, which is designed for read-only SQL operations. The tool's validation process fails to adequately restrict file-writing commands such as INTO OUTFILE and INTO DUMPFILE. This oversight allows an attacker to write arbitrary files to the database server, potentially leading to remote code execution, especially if the MySQL/MariaDB account has the FILE privilege and the server is configured to allow writes to a desirable location, like a web-accessible directory.

Impact

Exploitation of this vulnerability could allow an attacker to write arbitrary files on the database server. If the MySQL/MariaDB account has the FILE privilege and the server configuration allows writes to a useful location, this could escalate to remote code execution on the application host, for example, by writing a PHP web shell.

Remediation

Users can upgrade to Neuron version 2.8.12, where this vulnerability is fixed. If an immediate upgrade is not possible, MySQLSelectTool can be removed or disabled for any agent that receives untrusted input. Additionally, ensure that the database account used by the tool does not have the FILE privilege and that the secure_file_priv setting is configured to a directory that is not web-accessible. A defensive query filter can also be added at the application layer to reject suspicious file-related commands and patterns.