Critical Flaws Found in Widely Used IPTV Software for Online Streaming Services

News

Security researchers have discovered multiple critical vulnerabilities in a popular IPTV middleware platform that is currently being used by more than a thousand regional and international online media streaming services to manage their millions of subscribers.

Discovered by security researchers at CheckPoint, the vulnerabilities reside in the administrative panel of Ministra TV platform, which if exploited, could allow attackers to bypass authentication and extract subscribers’ database, including their financial details.

Besides this, the flaws could also allow attackers to replace broadcast and steam any content of their choice on the TV screens of all affected customer networks.

Ministra TV platform, previously known as Stalker Portal, is a software written in PHP that works as a middleware platform for media streaming services for managing Internet Protocol television (IPTV), video-on-demand (VOD) and over-the-top (OTT) content, licenses and their subscribers.

Developed by Ukrainian company Infomir, the Ministra software is currently being used by over a thousand online media streaming services with the highest numbers of providers in the United States (199), following with Netherlands (137), Russia (120), France (117) and Canada (105).

CheckPoint researchers find a logical vulnerability in an authentication function of the Ministra platform that fails to validate the request, allowing a remote attacker to bypass authentication and perform SQL injection through a separate vulnerability, which otherwise only an authenticated attacker can exploit.

As shown in the video demonstration, when it further chained together with a PHP Object Injection vulnerability, the researchers were successfully able to remotely execute arbitrary code on the targeted server.

“In this particular case, we used the authentication bypass to perform an SQL Injection on the server,” the researchers explain. “With that knowledge, we escalated this issue to an Object Injection vulnerability, which in turn allowed us to execute arbitrary code on the server, potentially impacting not only the provider but also the provider’s clients.”

CheckPoint researchers reported their findings to the company, which has now patched the issues with the release of Ministra version 5.4.1.

Vendors are strongly recommended to update their system to the latest version as soon as possible.

Products You May Like

Articles You May Like

Privacy legislation may soon affect smaller businesses
Facebook Announces Digital Wallet and Coin, Libra
DHS warns of increased Iranian cyberattacks on enterprises
A Netflix hack lets you feel the action in a scene by vibrating your phone
Bill Gates on making “one of the greatest mistakes of all time”

Leave a Reply

Your email address will not be published. Required fields are marked *