pheditor: OS Command Injection in Terminal Handler

An OS Command Injection vulnerability was discovered in pheditor's terminal handler. The 'dir' POST parameter is passed to shell_exec() without sanitization, allowing authenticated users to inject arbitrary commands via shell metacharacters, bypassing the TERMINAL_COMMANDS whitelist.

Any authenticated pheditor user with terminal permission enabled (default configuration).

Apply the fix by replacing `$dir` with `escapeshellarg($dir)` on line 586 of pheditor.php, or disable terminal permissions immediately.