CVE-2024-7360: Tracking Monitoring System CSRF Vulnerability

CVE-2024-7360 Overview

CVE-2024-7360 is a Cross-Site Request Forgery (CSRF) vulnerability in SourceCodester Tracking Monitoring Management System 1.0, developed by oretnom23. The flaw resides in the /ajax.php endpoint, which fails to validate the origin of state-changing requests. An attacker can craft a malicious page that, when visited by an authenticated user, issues unauthorized requests against the application. The exploit has been publicly disclosed under VulDB identifier VDB-273339 and is reachable over the network without authentication or user interaction beyond visiting an attacker-controlled page.

Critical Impact
Authenticated users browsing attacker-controlled content can be coerced into performing unintended state-changing actions in the Tracking Monitoring Management System.

Affected Products

SourceCodester (oretnom23) Tracking Monitoring Management System 1.0
Component: /ajax.php
CPE: cpe:2.3:a:oretnom23:tracking_monitoring_management_system:1.0

Discovery Timeline

2024-08-01 - CVE-2024-7360 published to NVD
2024-08-09 - Last updated in NVD database

Technical Details for CVE-2024-7360

Vulnerability Analysis

The vulnerability is classified as Cross-Site Request Forgery [CWE-352]. The /ajax.php handler processes sensitive operations without verifying that the request originates from a legitimate, intentional user action within the application. There is no anti-CSRF token, no Origin or Referer header validation, and no use of the SameSite cookie attribute to bound session reuse.

A remote attacker hosts a page containing a hidden form or fetch() call targeting /ajax.php. When a logged-in administrator or user loads the attacker page, the browser automatically attaches the application's session cookie. The server executes the forged action under the victim's identity.

The impact is limited to integrity. According to the CVSS 4.0 vector, the vulnerability does not require privileges or user interaction at the protocol level, although CSRF exploitation requires the victim to visit an attacker-controlled resource.

Root Cause

The root cause is missing CSRF protection on the /ajax.php endpoint. The application relies solely on session cookies to authorize state-changing requests and does not implement per-session tokens, double-submit cookies, or strict same-origin checks.

Attack Vector

Exploitation is network-based. An attacker prepares an HTML page hosting a form that auto-submits a POST or GET request to the target /ajax.php endpoint with attacker-chosen parameters. The attacker delivers the link through phishing, a forum post, or any other medium. When a victim with an active session loads the page, the browser sends the request along with valid session cookies, and the application processes the forged action. Public proof-of-concept details are available in the VulDB entry #273339 and the GitHub Gist PoC.

Detection Methods for CVE-2024-7360

Indicators of Compromise

POST or GET requests to /ajax.php with Referer or Origin headers pointing to external domains.
Requests to /ajax.php arriving without a Referer header from authenticated session cookies.
Unexpected modifications to tracking records, user data, or configuration tied to administrative sessions.

Detection Strategies

Inspect web server access logs for /ajax.php entries where the Referer does not match the application's own host.
Correlate session activity with user behavior to flag actions performed immediately after the user visited external URLs.
Deploy a Web Application Firewall (WAF) rule that blocks state-changing requests to /ajax.php without a valid anti-CSRF token.

Monitoring Recommendations

Forward web server and application logs to a centralized analytics platform for anomaly identification on /ajax.php.
Alert on bursts of /ajax.php requests originating from a single session within short time windows.
Track changes to administrative records and reconcile them against authenticated user activity timelines.

How to Mitigate CVE-2024-7360

Immediate Actions Required

Restrict access to the Tracking Monitoring Management System to trusted networks or place it behind a VPN until a fix is applied.
Require administrators to log out of the application before browsing untrusted sites and to use separate browser profiles for administrative work.
Deploy a WAF rule that rejects requests to /ajax.php when the Origin or Referer header does not match the application's hostname.

Patch Information

No vendor patch has been published for SourceCodester Tracking Monitoring Management System 1.0 at the time of this writing. Monitor the VulDB advisory for updates. Organizations running this software should consider replacing it with a maintained alternative.

Workarounds

Add server-side CSRF tokens to all forms invoking /ajax.php and validate them on every state-changing request.
Configure session cookies with SameSite=Strict and Secure attributes to limit cross-origin cookie attachment.
Enforce Origin and Referer header validation on /ajax.php for all non-idempotent HTTP methods.
Limit administrative access by IP allowlist where feasible.

bash

# Example nginx hardening for /ajax.php
location = /ajax.php {
    if ($http_origin !~* ^https://your-app\.example\.com$) {
        return 403;
    }
    if ($http_referer !~* ^https://your-app\.example\.com/) {
        return 403;
    }
    add_header Set-Cookie "PHPSESSID=$cookie_PHPSESSID; SameSite=Strict; Secure; HttpOnly";
    include fastcgi_params;
    fastcgi_pass unix:/run/php/php-fpm.sock;
}