Improper Restriction of Names for Files and Other Resources in pheditor/pheditor

Valid

Reported on

Oct 2nd 2021


Description

This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files.
https://github.com/pheditor/pheditor is vulnerable to DoS via Arbitrary file deletion.

Proof of concept

Vuln variable: $_POST['path']
Snippet:

        case 'delete':
            if (isset($_POST['path']) && file_exists(MAIN_DIR . $_POST['path'])) {
                $path = MAIN_DIR . $_POST['path'];
                ...
                                } else {
                    file_to_history($path);


                    if (is_writable($path)) {
                        if (in_array('deletefile', $permissions) !== true) {
                            die(json_error('Permission denied'));
                        }


                        unlink($path);
            ...         

Payload

pheditor.php restricts files to be removed , avoiding path traversal attacks, however, an attacker can perform a denial of service to the system, because the script file pheditor.php can be removed by itself , thus making a denial of service attack. To show this do the following: Go to http://localhost/pheditor-2/pheditor.php#/
Select any file in the left panel, for example README.md
Intercept the request in a proxy (burp for example https://portswigger.net/burp/documentation/desktop/external-browser-config/browser-config-firefox ).
Change the POST path value to /pheditor.php
Forward the forged requests.
Now refresh the browser and observe the Denial of Service.

Impact

Using the previous technique allows an attacker https://github.com/pheditor/pheditor/blob/69a79e3ba7f4a9f844cf5919c14a953e4a0d1867/pheditor.php#L378-L380to perform denial of service attacks on the server.

We have contacted a member of the pheditor team and are waiting to hear back 2 months ago
hitisec modified their report
2 months ago
Hamid Samak validated this vulnerability 2 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak confirmed that a fix has been merged on bb9567 2 months ago
Hamid Samak has been awarded the fix bounty
pheditor.php#L435-L447 has been validated
pheditor.php#L416-L419 has been validated
pheditor.php#L398-L406 has been validated