MySQL clients can be abused via the LOAD DATA LOCAL INFILE feature to exfiltrate arbitrary files from the client machine by setting up a fake MySQL server that bypasses authentication and sends malicious payloads. This exploitation technique works because MySQL clients trust server-sent commands after authentication, allowing attackers to read sensitive files like /etc/hosts from compromised systems.
A Local File Inclusion (LFI) vulnerability was discovered in Nokia Maps that allowed reading arbitrary files from the server (e.g., /etc/passwd). The vulnerability was reported on January 2, 2013, and patched by Nokia on January 20, 2013.
A researcher discovered a local file inclusion (LFI) vulnerability on Google's production servers at springboard.google.com through directory enumeration and authorization bypass, escalating from an initial auth bypass to full LFI with admin privileges, ultimately earning a $13,337 bounty from Google's Vulnerability Reward Program.