Hotsplots is one of Europe's largest providers of professional WiFi hotspot solutions. Founded in Berlin in 2004, the company provides public Internet access to a wide range of locations, including hotels, restaurants, campsites, libraries, and local and long-distance public transport vehicles (buses and trains). Hotsplots' systems manage Internet access via special login pages.

During an unplanned investigation, we discovered several critical security vulnerabilities in the Hotsplots infrastructure. This analysis describes the technical details of the vulnerabilities found.

Vulnerabilities Summary

A chain of security flaws made it possible to gain extensive access to Hotsplots' internal systems. The investigation began with a publicly accessible git directory that revealed the source code of an authentication service. Analysis of this source code led to the discovery of database credentials and a critical SQL injection vulnerability. This allowed access to hundreds of database tables containing customer and business data. Another vulnerability in the router login process would have allowed attackers to download VPN configurations and potentially log into the router network.

Git Directory and Database Access

By chance, we discovered that the git repository directory of the authentication service was publicly accessible at the URL https://hotsplots.de/auth/.git/. This allowed us to download the entire git directory and thus completely restore the source code of the PHP-based authentication service.
During the subsequent analysis of the source code, we came across hard-coded login credentials for an internal database.

Time-Based SQL-Injection

The investigation of the recovered PHP source code also revealed a serious security vulnerability in the form of a time-based SQL injection. We were able to verify this vulnerability.
By exploiting this vulnerability, an attacker could gain read access to the underlying database. This included access to several hundred tables containing sensitive customer and business data.

Vulnerability in Router Login Process

Regardless of the first two findings, we identified another security vulnerability. This concerned the login procedure for the routers used by Hotsplots. The vulnerability made it possible to download the VPN configuration of the devices.
With the configuration data obtained, an attacker could potentially establish a VPN connection to the internal router network and further compromise it.