<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pheditor 2.0.4 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pheditor-2.0.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 20:02:31 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pheditor-2.0.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>Pheditor Authenticated Command Whitelist Bypass via Shell Command Substitution</title><link>https://feed.craftedsignal.io/briefs/2026-07-pheditor-whitelist-bypass/</link><pubDate>Thu, 16 Jul 2026 20:02:31 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pheditor-whitelist-bypass/</guid><description>Pheditor 2.0.4 contains an authenticated command injection vulnerability, CVE-2026-54540, allowing a user with `terminal` permissions to bypass the `TERMINAL_COMMANDS` whitelist by leveraging shell command substitution to execute arbitrary shell commands as the web server user.</description><content:encoded><![CDATA[<p>Pheditor version 2.0.4 is susceptible to an authenticated terminal command whitelist bypass vulnerability, identified as CVE-2026-54540. This flaw allows an attacker with legitimate access and <code>terminal</code> permissions to execute arbitrary operating system commands on the underlying web server. The vulnerability stems from how Pheditor's <code>terminal</code> feature validates user-submitted commands. While it checks if a command string begins with an entry from a predefined <code>TERMINAL_COMMANDS</code> whitelist, it fails to sanitize or block shell command substitution syntax, such as <code>$()</code>, before passing the full command directly to the <code>shell_exec()</code> PHP function. This permits an authenticated user to append malicious commands using substitution after a whitelisted prefix, effectively circumventing security controls and achieving remote code execution as the web server user. This is critical for deployments where <code>TERMINAL_COMMANDS</code> is relied upon to restrict administrative terminal access to a limited set of safe commands.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker logs into the Pheditor application with privileges that include <code>terminal</code> access.</li>
<li>The attacker accesses the terminal feature within the Pheditor application.</li>
<li>The attacker crafts a malicious command string that begins with a whitelisted command (e.g., <code>ls</code>) and appends a shell command substitution (e.g., <code>$(arbitrary_command)</code>).</li>
<li>The Pheditor application receives the command via a <code>POST</code> request to <code>pheditor.php</code> or a similar endpoint.</li>
<li>The application performs a prefix check, confirming that the initial part of the attacker's command (e.g., <code>ls</code>) matches an entry in the <code>TERMINAL_COMMANDS</code> allowlist.</li>
<li>Despite the presence of shell metacharacters for command substitution, the application passes the entire, unsanitized command string to the <code>shell_exec()</code> PHP function.</li>
<li>The underlying operating system shell executes the command, including the arbitrary commands embedded via substitution, leading to remote code execution as the web server user.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-54540 grants an authenticated attacker the ability to execute arbitrary shell commands as the web server user. This can lead to complete compromise of the Pheditor instance and potentially the underlying server. Attackers could exfiltrate sensitive data, deface the website, install backdoors, or pivot to other systems within the network. This vulnerability is particularly impactful for organizations that deploy Pheditor and rely on the <code>TERMINAL_COMMANDS</code> configuration to restrict terminal access to a controlled set of operations, as these restrictions can be trivially bypassed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule provided in this brief to detect attempts at command substitution in Pheditor's terminal input.</li>
<li>Monitor <code>webserver</code> logs for HTTP POST requests to <code>pheditor.php</code> or similar endpoints that contain the <code>command</code> parameter with shell command substitution patterns (e.g., <code>$()</code>).</li>
<li>Patch Pheditor to a version greater than 2.0.4, or implement the suggested fixes from the advisory, which include avoiding <code>shell_exec()</code> for user-controlled input, requiring exact command matches, or comprehensively rejecting shell metacharacters.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>command-injection</category><category>php</category></item></channel></rss>