Security researchers have discovered multiple critical vulnerabilities in a popular IPTV middleware platform that is currently being used by more than a thousand regional and international online media streaming services to manage their millions of subscribers.
Discovered by security researchers at CheckPoint, the vulnerabilities reside in the administrative panel of Ministra TV platform, which if exploited, could allow attackers to bypass authentication and extract subscribers’ database, including their financial details.
Besides this, the flaws could also allow attackers to replace broadcast and steam any content of their choice on the TV screens of all affected customer networks.
Ministra TV platform, previously known as Stalker Portal, is a software written in PHP that works as a middleware platform for media streaming services for managing Internet Protocol television (IPTV), video-on-demand (VOD) and over-the-top (OTT) content, licenses and their subscribers.
Developed by Ukrainian company Infomir, the Ministra software is currently being used by over a thousand online media streaming services with the highest numbers of providers in the United States (199), following with Netherlands (137), Russia (120), France (117) and Canada (105).
Video Source: Check Point Software Technologies, Ltd. YouTube Official Channel
CheckPoint researchers find a logical vulnerability in an authentication function of the Ministra platform that fails to validate the request, allowing a remote attacker to bypass authentication and perform SQL injection through a separate vulnerability, which otherwise only an authenticated attacker can exploit.
As shown in the video demonstration, when it further chained together with a PHP Object Injection vulnerability, the researchers were successfully able to remotely execute arbitrary code on the targeted server.
“In this particular case, we used the authentication bypass to perform an SQL Injection on the server,” the researchers explain. “With that knowledge, we escalated this issue to an Object Injection vulnerability, which in turn allowed us to execute arbitrary code on the server, potentially impacting not only the provider but also the provider’s clients.”
CheckPoint researchers reported their findings to the company, which has now patched the issues with the release of Ministra version 5.4.1.
Vendors are strongly recommended to update their system to the latest version as soon as possible.
The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.