VDB
KO
HIGH 8.8

GHSA-9643-6xjp-vx57

Pheditor has an authenticated terminal command whitelist bypass

Details

### Summary

Pheditor 2.0.4 has an authenticated terminal command whitelist bypass.

The terminal feature checks whether the submitted command starts with one of the configured `TERMINAL_COMMANDS` values, then passes the full command string to `shell_exec()`. Shell command substitution such as `$()` is not blocked, so an authenticated user with the `terminal` permission can bypass a restricted command allowlist and execute arbitrary shell commands as the web server user.

### Details

Tested repository:

https://github.com/pheditor/pheditor

Tested commit:

`62b43df7cb8956a9b0deb9bec278ca8676c890c5`

Affected version:

Pheditor 2.0.4

Relevant code in `pheditor.php`:

- The terminal handler receives `$_POST['command']` and stores it in `$command`. - It blocks only `&`, `;`, and `||`. - It checks whether `$command` starts with one of the configured values in `TERMINAL_COMMANDS`. - It then passes the full command string to `shell_exec()`.

Relevant logic:

```php $command = $_POST['command'];

if (strpos($command, '&') !== false || strpos($command, ';') !== false || strpos($command, '||') !== false) { echo json_error("Illegal character(s) in command (& ; ||)\n"); exit; }

foreach ($terminal_commands as $value) { $value = trim($value);

if (strlen($command) >= strlen($value) && substr($command, 0, strlen($value)) == $value) { $command_found = true; break; } }

$output = shell_exec((empty($dir) ? null : 'cd ' . escapeshellarg($dir) . ' && ') . $command . ' && echo \ ; pwd'); ```

Because the whitelist check is prefix-based and the full command is executed by a shell, a command such as `ls$(...)` passes when `ls` is allowed, while the command substitution is still executed by the shell.

### PoC

This was reproduced locally with Docker and PHP 8.3.

For a strict test, the configured command allowlist was changed to only allow `ls`:

```php define('TERMINAL_COMMANDS', 'ls'); ```

Control request:

```text command=whoami ```

Observed result:

```text Command not allowed Available commands: ls ```

Bypass request:

```text command=ls$(printf pheditor-terminal-bypass >/lab/app/site/proof.txt) ```

Observed result:

```text proof.txt is created with the content: pheditor-terminal-bypass ```

This shows that even when only `ls` is allowed, arbitrary shell commands can still be executed through command substitution.

### Impact

An authenticated user with the `terminal` permission can bypass the intended `TERMINAL_COMMANDS` restriction and execute arbitrary shell commands as the web server user.

This affects deployments where administrators rely on `TERMINAL_COMMANDS` to restrict terminal access to a small set of safe commands.

Suggested fixes:

- Avoid passing user-controlled command strings to `shell_exec()`. - Parse the command into executable and arguments. - Require an exact command name match instead of prefix matching. - Execute without a shell, for example with an argument-array based process API. - If shell execution remains necessary, reject shell metacharacters comprehensively, including command substitution syntax. - Consider disabling the terminal feature by default.

Reporter credit requested:

shanjijian <shanjijian@gmail.com>

Are you affected?

Enter the version of the package you're using.

Affected packages

Packagist / pheditor/pheditor
Introduced in: 0 Fixed in: 2.0.5
Fix composer require pheditor/pheditor:^2.0.5

References