CVE-2023-1713: 
Homebrew vulnerability analysis and mitigation

A vulnerability was discovered in Bitrix24 version 22.0.300 (CVE-2023-1713) involving insecure temporary file creation in bitrix/modules/crm/lib/order/import/instagram.php. The vulnerability allows remote authenticated attackers to execute arbitrary code via uploading a crafted '.htaccess' file when the application is hosted on Apache HTTP Server (STAR Labs).

The vulnerability exists in the importAjax action of the crm.order.import.instagram.view component. The issue occurs in the Instagram::saveImage function where the application downloads an attacker-controlled file and saves it as a temporary file in the upload directory. Since the attacker has full control over the filename, they can override configuration files like .htaccess. The path generated by CTempFile::GetFileName ends with the attacker-controlled filename, allowing manipulation of the file type and contents (STAR Labs).

When successfully exploited, this vulnerability allows authenticated attackers to execute arbitrary commands on the affected web server through the creation of malicious .htaccess files. The attack can be reliably executed within 60 seconds when the attacker and victim Bitrix24 application are on the same device (STAR Labs).

Detection of exploitation attempts can be accomplished by monitoring server access logs for requests made to /upload/tmp/xxx/.htaccess where xxx is a 3-character alphanumeric string, or any requests to /upload/tmp/ path which should not be accessed via HTTP requests (STAR Labs).

The vulnerability has been actively monitored and tagged by security researchers, with GreyNoise Intelligence reporting active scanning attempts for this vulnerability in December 2023 (GreyNoise).