PHPGurukul Online Course Registration SQL Injection Vulnerability in Session Management

A SQL injection vulnerability has been identified in PHPGurukul Online Course Registration version 3.1. The issue resides in the admin/session.php file, where the 'sesssion' parameter is manipulated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication.

Impact

Exploitation of this vulnerability allows attackers to access the database, manipulate or delete data, and extract sensitive information. Such actions could lead to unauthorized database access and data breaches.

Reproduction

The vulnerability can be reproduced by sending a POST request to '/onlinecourse/admin/session.php' with the 'sesssion' parameter. The request should include a payload that exploits the SQL injection, such as a time-based blind injection that uses the SQL 'SLEEP' function to demonstrate the injection's effectiveness.

Remediation

No specific remediation is known for this vulnerability. However, general best practices for preventing SQL injection should be followed, such as using prepared statements and parameterized queries, validating and sanitizing user input, and minimizing database user privileges.