Show HN: PHP 8 disable_functions bypass PoC

https://github.com/m0x41nos/TimeAfterFree

24•m0x41nos•1h ago

Comments

altairprime•1h ago

Tell us more about how you searched for and uncovered this? Do you normally use PHP? What disclosure process did you use?

calvinmorrison•53m ago

That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox.

I think PHP has in the past explicitly stated its not a security feature.

There have been a few issues over the years with this.

Anyway - good OS security is required anytime you run software!

heres one from 6 years ago https://bugs.php.net/bug.php?id=76047

kadoban•36m ago

> I think PHP has in the past explicitly stated its not a security feature.

I'm struggling to think what it's for then?

turbert•23m ago

likely intended more as a lint than a security feature, it's not unusual to want to exclude commonly misused features from your code and any libraries you use.

Knowing the mess that is the php standard library, I imagine many applications would want to just straight up ban the really bad parts.

calvinmorrison•20m ago

a lazy security feature that stops 90% of problems?

duskwuff•18m ago

> I'm struggling to think what it's for then?

Placating some users - mainly shared web hosting providers - who still think that disabling functions like system() and exec() is an effective security measure.

halb•53m ago

there was a php-only million-rows challenge that was posted here recently. This uaf offers the opportunity for the funniest solution.

turbert•29m ago

from a quick skim, it looks like the underlying bug is just not handling object resurrection[1] at all (FreeMe adds a reference to $array while its destructor is called).

I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature.

[1] https://en.wikipedia.org/wiki/Object_resurrection

Show HN: Konform Browser v140.8.0-105

Evolving Typst

Cloudflare uses lava lamps for randomness

Arabic document from 17th-cent. rubbish heap confirms semi-legendary Nubian king

Amazon says drone strikes damaged 3 facilities in UAE and Bahrain

Show HN: Offline desktop tool that extracts media endpoints from raw HTML

224k Publicly Exposed OpenClaw Instances

Show HN: kg Food Log (Google Gemini powered nutrition tracker)

Trading on Violence

Show HN: ResumeForge – Free AI resume builder with real-time ATS scoring

Show HN: AgentOx – MCP Security and Conformance Auditor

Rail Settlement Plan Barcode Specs

AI Authentication and Authorization

Show HN: Understand GitHub Trending with AI

PaywallPro

Ed Gutenburg: The First Autonomous Investigative Reporter

Show HN: Giggles – A batteries-included React framework for TUIs

Curl documentation bans the word 'very'

Building an Open-Source Verilog Simulator with AI: 580K Lines in 43 Days

Iran's Cryptic Shortwave Messages [video]

Entry-level PC market to 'disappear' by 2028 – memory prices strain PC market

How to Recover Your Stolen Crypto After a Scam–Guidance from Intelligence Wizard

Show HN: Autonoma – Python secret fixer that refuses unsafe fixes

The Excommunicated Devs Making Games with AI

Ask HN: What Online LLM / Chat do you use?

CKAN – an open-source DMS (data management system)

My (Hypothetical) SRECon26 Keynote

Prompt Vault – Save and organize your AI prompts ($9 Pro)

Show HN: An Auditable Decision Engine for AI Systems

How to Recover Your Stolen Crypto After a Scam–Guidance from Intelligence Wizard

Show HN: Konform Browser v140.8.0-105

Evolving Typst

Cloudflare uses lava lamps for randomness

Arabic document from 17th-cent. rubbish heap confirms semi-legendary Nubian king

Amazon says drone strikes damaged 3 facilities in UAE and Bahrain

Show HN: Offline desktop tool that extracts media endpoints from raw HTML

224k Publicly Exposed OpenClaw Instances

Show HN: kg Food Log (Google Gemini powered nutrition tracker)

Trading on Violence

Show HN: ResumeForge – Free AI resume builder with real-time ATS scoring

Show HN: AgentOx – MCP Security and Conformance Auditor

Rail Settlement Plan Barcode Specs

AI Authentication and Authorization

Show HN: Understand GitHub Trending with AI

PaywallPro

Ed Gutenburg: The First Autonomous Investigative Reporter

Show HN: Giggles – A batteries-included React framework for TUIs

Curl documentation bans the word 'very'

Building an Open-Source Verilog Simulator with AI: 580K Lines in 43 Days

Iran's Cryptic Shortwave Messages [video]

Entry-level PC market to 'disappear' by 2028 – memory prices strain PC market

How to Recover Your Stolen Crypto After a Scam–Guidance from Intelligence Wizard

Show HN: Autonoma – Python secret fixer that refuses unsafe fixes

The Excommunicated Devs Making Games with AI

Ask HN: What Online LLM / Chat do you use?

CKAN – an open-source DMS (data management system)

My (Hypothetical) SRECon26 Keynote

Prompt Vault – Save and organize your AI prompts ($9 Pro)

Show HN: An Auditable Decision Engine for AI Systems

How to Recover Your Stolen Crypto After a Scam–Guidance from Intelligence Wizard

Show HN: PHP 8 disable_functions bypass PoC

Comments