SourceCodester Online Tutor Portal SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester Online Tutor Portal version 1.0. The issue resides in the file '/tutor/courses/view_course.php', where the 'ID' argument can be manipulated to execute malicious SQL commands. This vulnerability can be exploited remotely, allowing attackers to bypass application security and directly interact with the database, potentially leading to unauthorized data access, modification, or deletion.

Impact

Exploitation of this vulnerability allows for arbitrary SQL command execution, enabling attackers to manipulate the application's database. This could result in unauthorized data access, data modification, or deletion, severely compromising the application's data integrity and security.

Reproduction

To reproduce this vulnerability, send a request to the '/tutor/courses/view_course.php' endpoint with a crafted 'ID' parameter that includes SQL injection payloads. The injection can be verified by observing unexpected database behavior, such as error messages or unauthorized data access.