Show HN: PHP 8 disable_functions bypass PoC

https://github.com/m0x41nos/TimeAfterFree

24•m0x41nos•2h ago

Comments

altairprime•1h ago

Tell us more about how you searched for and uncovered this? Do you normally use PHP? What disclosure process did you use?

calvinmorrison•1h ago

That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox.

I think PHP has in the past explicitly stated its not a security feature.

There have been a few issues over the years with this.

Anyway - good OS security is required anytime you run software!

heres one from 6 years ago https://bugs.php.net/bug.php?id=76047

kadoban•1h ago

> I think PHP has in the past explicitly stated its not a security feature.

I'm struggling to think what it's for then?

turbert•53m ago

likely intended more as a lint than a security feature, it's not unusual to want to exclude commonly misused features from your code and any libraries you use.

Knowing the mess that is the php standard library, I imagine many applications would want to just straight up ban the really bad parts.

calvinmorrison•50m ago

a lazy security feature that stops 90% of problems?

duskwuff•48m ago

> I'm struggling to think what it's for then?

Placating some users - mainly shared web hosting providers - who still think that disabling functions like system() and exec() is an effective security measure.

halb•1h ago

there was a php-only million-rows challenge that was posted here recently. This uaf offers the opportunity for the funniest solution.

turbert•59m ago

from a quick skim, it looks like the underlying bug is just not handling object resurrection[1] at all (FreeMe adds a reference to $array while its destructor is called).

I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature.

[1] https://en.wikipedia.org/wiki/Object_resurrection

The workers behind Meta’s smart glasses can see everything

OpenClaw Exposure Watchboard

Show HN: I built a sub-500ms latency voice agent from scratch

Closure of the Weatheradio Service in Canada

Seed of Might Color Correction Process (2023) [pdf]

What are your guilty displeasures?

How to Build Your Own Quantum Computer

British Columbia to end time changes, adopt year-round daylight time

New iPad Air, powered by M4

First in-utero stem cell therapy for fetal spina bifida repair is safe: study

RCade: Building a Community Arcade Cabinet

The 185-Microsecond Type Hint

Against Query Based Compilers

Show HN: Govbase – Follow a bill from source text to news bias to social posts

The Cathode Ray Tube site

Motorola announces a partnership with GrapheneOS

Programmable Cryptography

Welcome (back) to Macintosh

Show HN: Giggles – A batteries-included React framework for TUIs

iPhone 17e

Ask HN: Who is hiring? (March 2026)

Show HN: Visual Lambda Calculus – a thesis project (2008) revived for the web

Inside the M4 Apple Neural Engine, Part 1: Reverse Engineering

Launch HN: OctaPulse (YC W26) – Robotics and computer vision for fish farming

"That Shape Had None" – A Horror of Substrate Independence (Short Fiction)

LFortran compiles fpm

Reflex (YC W23) Is Hiring Software Engineers – Python

Ask HN: Who wants to be hired? (March 2026)

Show HN: Pianoterm – Run shell commands from your Piano. A Linux CLI tool

Parallel coding agents with tmux and Markdown specs