A malicious MySQL server can instruct MySQL clients to send it any file. See:
- https://twitter.com/gwillem/status/1086275952915533828
- https://gwillem.gitlab.io/2019/01/17/adminer-4.6.2-file-disclosure-vulnerability/
- https://dev.mysql.com/doc/refman/8.0/en/load-data-local.html
This is not normally exploitable (an attacker can't instruct Phabricator to connect to a MySQL server they control) but the existence of the capability is completely absurd and it's relatively easy to prevent:
https://github.com/vrana/adminer/commit/c564a8ef5095d26b1d7f2ebab4dc3c3516bc0c7b
It looks like the approach is:
- If we're using MySQLi, disable MYSQLI_OPT_LOCAL_INFILE.
- If we're not using MySQLI, raise a setup warning if mysql.allow_local_infile is enabled.