Code-Projects Online Course Registration SQL Injection Vulnerability in Edit-Course.php

A SQL injection vulnerability has been identified in Code-Projects Online Course Registration version 1.0. The issue resides in the file '/admin/edit-course.php', where the 'coursecode' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication or authorization.

Impact

Exploitation of this vulnerability allows attackers to execute arbitrary SQL commands, potentially leading to unauthorized database access, data manipulation, and access to sensitive information. The vulnerability could also be exploited to disrupt service availability.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/onlinecourse/admin/edit-course.php' with the 'coursecode' parameter. The request should include a payload that exploits the SQL injection vulnerability, such as a time-based blind SQL injection payload that uses the SQL 'SLEEP' function to demonstrate the injection.

Remediation

It is recommended to use prepared statements and parameter binding to prevent SQL injection, validate and filter user input, minimize database user permissions, and conduct regular security audits.