Description

This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files.
https://github.com/pheditor/pheditor is vulnerable to DoS via Arbitrary file deletion.

Proof of concept

Vuln variable: $_POST['path']
Snippet:

        case 'delete':
            if (isset($_POST['path']) && file_exists(MAIN_DIR . $_POST['path'])) {
                $path = MAIN_DIR . $_POST['path'];
                ...
                                } else {
                    file_to_history($path);


                    if (is_writable($path)) {
                        if (in_array('deletefile', $permissions) !== true) {
                            die(json_error('Permission denied'));
                        }


                        unlink($path);
            ...         

Payload

pheditor.php restricts files to be removed , avoiding path traversal attacks, however, an attacker can perform a denial of service to the system, because the script file pheditor.php can be removed by itself , thus making a denial of service attack. To show this do the following: Go to http://localhost/pheditor-2/pheditor.php#/
Select any file in the left panel, for example README.md
Intercept the request in a proxy (burp for example https://portswigger.net/burp/documentation/desktop/external-browser-config/browser-config-firefox ).
Change the POST path value to /pheditor.php
Forward the forged requests.
Now refresh the browser and observe the Denial of Service.

Impact

Using the previous technique allows an attacker https://github.com/pheditor/pheditor/blob/69a79e3ba7f4a9f844cf5919c14a953e4a0d1867/pheditor.php#L378-L380to perform denial of service attacks on the server.