SQL injection vulnerability in SaphpLesson 4.3, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the CLIENT_IP HTTP header.
https://exchange.xforce.ibmcloud.com/vulnerabilities/53305
http://www.exploit-db.com/exploits/9700