Improper Restriction of Names for Files and Other Resources in pheditor/pheditor


Reported on

Oct 2nd 2021


This issue allows an attacker to influence calls to the 'unlink()' function and delete arbitrary files. is vulnerable to DoS via Arbitrary file deletion.

Proof of concept

Vuln variable: $_POST['path']

        case 'delete':
            if (isset($_POST['path']) && file_exists(MAIN_DIR . $_POST['path'])) {
                $path = MAIN_DIR . $_POST['path'];
                                } else {

                    if (is_writable($path)) {
                        if (in_array('deletefile', $permissions) !== true) {
                            die(json_error('Permission denied'));



pheditor.php restricts files to be removed , avoiding path traversal attacks, however, an attacker can perform a denial of service to the system, because the script file pheditor.php can be removed by itself , thus making a denial of service attack. To show this do the following: Go to http://localhost/pheditor-2/pheditor.php#/
Select any file in the left panel, for example
Intercept the request in a proxy (burp for example ).
Change the POST path value to /pheditor.php
Forward the forged requests.
Now refresh the browser and observe the Denial of Service.


Using the previous technique allows an attacker perform denial of service attacks on the server.

We have contacted a member of the pheditor team and are waiting to hear back a year ago
hitisec modified the report
a year ago
Hamid Samak validated this vulnerability a year ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Hamid Samak marked this as fixed with commit bb9567 a year ago
Hamid Samak has been awarded the fix bounty
This vulnerability will not receive a CVE
pheditor.php#L435-L447 has been validated
pheditor.php#L416-L419 has been validated
pheditor.php#L398-L406 has been validated
to join this conversation