Bitrix24 Remote Code Execution Vulnerability in Translate Module

A remote code execution vulnerability exists in Bitrix24 versions through 25.100.300, specifically within the Translate Module. The issue arises because the module allows users with SOURCE and WRITE permissions to upload archive files that can include malicious PHP scripts. These archives are extracted without proper content verification, enabling the execution of arbitrary code. The vulnerability can be exploited by uploading a PHP file along with a crafted .htaccess file, which is then executed on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where Bitrix24 is hosted.

Reproduction

To reproduce this vulnerability, an account with SOURCE and WRITE permissions in the Translate Module is required. After logging into Bitrix24, upload a malicious archive containing a PHP file and a .htaccess file through the Translate Module's upload feature. Once the archive is uploaded, extract it using the module's extraction function. After extraction, the uploaded PHP file can be accessed and executed, leading to code execution on the server.