SourceCodester Online Tutor Portal SQL Injection Vulnerability

A critical SQL injection vulnerability has been identified in SourceCodester Online Tutor Portal version 1.0. The issue resides in the file '/tutor/courses/manage_course.php', where the 'id' parameter can be manipulated to inject malicious SQL statements. This vulnerability allows attackers to interfere with the application's database queries, potentially leading to unauthorized data access, modification, or deletion.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate database queries to gain unauthorized access to data, bypass application security, and potentially modify or delete database information.

Reproduction

To reproduce this vulnerability, send a request to '/tutor/courses/manage_course.php' with a crafted 'id' parameter that includes SQL injection payloads. The injected SQL code can be used to manipulate the database query execution, such as by adding a delay to demonstrate the injection success.