This is a read-only archive of the Mumble forums.

This website archives and makes accessible historical state. It receives no updates or corrections. It is provided only to keep the information accessible as-is, under their old address.

For up-to-date information please refer to the Mumble website and its linked documentation and other resources. For support please refer to one of our other community/support channels.

Jump to content

Possible SQL Injection attack on Murmur server


Morgaul
 Share

Recommended Posts

Mumble server 1.2.19 for Linux murmur-static_x86-1.2.19.tar.bz2 working on Ubuntu 16.04 LTS x64.

Logging to log file on disk.

Suddenly crashes twice for 2 minutes.

Log file before crash:

2018-05-22 18:50:37.179 2 => <22:(-1)> Client version 1.2.4 (iOS: Mumble for iOS 1003001001)

2018-05-22 18:50:37.185 SQL Error [iNSERT INTO `slog` (`server_id`, `msg`) VALUES(?,?)]: Incorrect string value: '\xF0\x9F\xA5\x9E(-...' for column 'msg' at row 1 QMYSQL3: Unable to execute statement

2018-05-22 18:50:56.833 Initializing settings from /etc/murmur.ini (basepath /etc)


Does it SQL injection attack? :shock:

Link to comment
Share on other sites

  • Administrators

Well, we can't say for sure from this. I guess someone tried to. That doesn't mean he managed to sql inject though.

But a crash indicates a different issue, at some point of string handling of the message.

I guess you don't know the person that did this and could provide more information?


/e:

Oh, I see you're using MySQL as the server backend database.

Note that while we try to keep it usable, we don't officially support that.


On IRC fwaggle suggested that this may be due to a misconfigured character set in MySQL.

Link to comment
Share on other sites

  • Moderators

Yeah, there's no SQLi attack here - MySQL is just failing to marshal the UTF-8 string (in case you're wondering, it's a stack of pancakes) into the table. Murmur 1.2.19 on sqlite handles that username just fine (though for some reason even with a completely permissive channel name, it doesn't like creating a channel out of pancackes - it doesn't crash, it just refuses to create the channel).


Murmur should be using UTF-8 internally, so likely your MySQL tables (at least the log, but presumably the rest also) are set up to something different. Checking the table character set is fairly easy in phpMyAdmin, it's non-trivial via the command line client.


You might be able to fix the tables using something like ALTER TABLE tablename CONVERT TO CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci; - that might also trash your database, so take backups before you do it and all that.


If Murmur generated those tables for you, it's arguably a bug that it didn't do them with the correct character set, but considering that MySQL support isn't official I'm not sure how quickly it'd get fixed. :(

Full disclosure: I used to run a commercial Mumble host, and my opinions do not reflect the opinions of the Mumble project.

Avatar is stolen from here

Link to comment
Share on other sites

 Share

×
×
  • Create New...