✍️ Description

Course deletion on the teacher portal is vulnerable to SQL injection. This will allow a user to run arbitrary SQL queries and completely erase, export or change all information in the database - potentially rendering the entire platform unusable.

🕵️‍♂️ Proof of Concept

• Log in to the teacher portal
• Navigate to Courses - Delete a course
• When prompted for the course name, enter an injection string such as test' OR 1=1;-- -
• Confirm. Refresh the page and you will notice that all the courses have been deleted.

💥 Impact

Account takeover, complete deletion of data, unauthorized changes and application lockout are possible due to this bug.

Recommendation

Use prepared statements with proper exception handling on the back-end to prevent injection attacks. Additionally, you could write basic checks on the front-end to prevent requests from going through, however this is trivially bypassed.