Show HN: PHP 8 disable_functions bypass PoC

https://github.com/m0x41nos/TimeAfterFree

24•m0x41nos•2h ago

Comments

altairprime•1h ago

Tell us more about how you searched for and uncovered this? Do you normally use PHP? What disclosure process did you use?

calvinmorrison•1h ago

That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox.

I think PHP has in the past explicitly stated its not a security feature.

There have been a few issues over the years with this.

Anyway - good OS security is required anytime you run software!

heres one from 6 years ago https://bugs.php.net/bug.php?id=76047

kadoban•1h ago

> I think PHP has in the past explicitly stated its not a security feature.

I'm struggling to think what it's for then?

turbert•51m ago

likely intended more as a lint than a security feature, it's not unusual to want to exclude commonly misused features from your code and any libraries you use.

Knowing the mess that is the php standard library, I imagine many applications would want to just straight up ban the really bad parts.

calvinmorrison•48m ago

a lazy security feature that stops 90% of problems?

duskwuff•46m ago

> I'm struggling to think what it's for then?

Placating some users - mainly shared web hosting providers - who still think that disabling functions like system() and exec() is an effective security measure.

halb•1h ago

there was a php-only million-rows challenge that was posted here recently. This uaf offers the opportunity for the funniest solution.

turbert•58m ago

from a quick skim, it looks like the underlying bug is just not handling object resurrection[1] at all (FreeMe adds a reference to $array while its destructor is called).

I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature.

[1] https://en.wikipedia.org/wiki/Object_resurrection

Show HN: I built a sub-500ms latency voice agent from scratch

Show HN: Govbase – Follow a bill from source text to news bias to social posts

Show HN: Giggles – A batteries-included React framework for TUIs

Show HN: Visual Lambda Calculus – a thesis project (2008) revived for the web

Show HN: Pianoterm – Run shell commands from your Piano. A Linux CLI tool

Show HN: uBlock filter list to blur all Instagram Reels

Show HN: PHP 8 disable_functions bypass PoC

Show HN: An Auditable Decision Engine for AI Systems

Show HN: Omni – Open-source workplace search and chat, built on Postgres

Show HN: Timber – Ollama for classical ML models, 336x faster than Python

Show HN: ApplyPilot – AI Agent that applies to jobs for you

Show HN: Web Audio Studio – A Visual Debugger for Web Audio API Graphs

Show HN: Gapless.js – gapless web audio playback

Show HN: Open-Source Postman for MCP

Show HN: We filed 99 patents for deterministic AI governance(Prior Art vs. RLHF)

Show HN: Try Archetype 360 – AI‑powered personality test, 3× deeper than MBTI

Show HN: Punch card simulator and Fortran IV interpreter

Show HN: Writing App for Novelist

Show HN: Vanilla JavaScript refinery simulator built to explain job to my kids

Show HN: Agd – a content-addressed DAG for tracking what AI agents do

Show HN: BoardMint – upload a PCB, get a standards-backed issue report in ~30s

Show HN: CrowPay – add x402 in a few lines, let AI agents pay per request

Show HN: Aft, a Python toolkit to study agent behavior

Show HN: Watchtower – see every API call Claude Code and Codex CLI make

Show HN: I spent a billion tokens bridging Elixir and WebAssembly

Show HN: Smart-commit-rs – A zero-dependency Git commit tool in Rust

Show HN: Valkey-powered semantic memory for Claude Code sessions

Show HN: Audio Toolkit for Agents

Show HN: Logira – eBPF runtime auditing for AI agent runs

Show HN: I built a zero-browser, pure-JS typesetting engine for bit-perfect PDFs

Show HN: I built a sub-500ms latency voice agent from scratch

Show HN: Govbase – Follow a bill from source text to news bias to social posts

Show HN: Giggles – A batteries-included React framework for TUIs

Show HN: Visual Lambda Calculus – a thesis project (2008) revived for the web

Show HN: Pianoterm – Run shell commands from your Piano. A Linux CLI tool

Show HN: uBlock filter list to blur all Instagram Reels

Show HN: PHP 8 disable_functions bypass PoC

Show HN: An Auditable Decision Engine for AI Systems

Show HN: Omni – Open-source workplace search and chat, built on Postgres

Show HN: Timber – Ollama for classical ML models, 336x faster than Python

Show HN: ApplyPilot – AI Agent that applies to jobs for you

Show HN: Web Audio Studio – A Visual Debugger for Web Audio API Graphs

Show HN: Gapless.js – gapless web audio playback

Show HN: Open-Source Postman for MCP

Show HN: We filed 99 patents for deterministic AI governance(Prior Art vs. RLHF)

Show HN: Try Archetype 360 – AI‑powered personality test, 3× deeper than MBTI

Show HN: Punch card simulator and Fortran IV interpreter

Show HN: Writing App for Novelist

Show HN: Vanilla JavaScript refinery simulator built to explain job to my kids

Show HN: Agd – a content-addressed DAG for tracking what AI agents do

Show HN: BoardMint – upload a PCB, get a standards-backed issue report in ~30s

Show HN: CrowPay – add x402 in a few lines, let AI agents pay per request

Show HN: Aft, a Python toolkit to study agent behavior

Show HN: Watchtower – see every API call Claude Code and Codex CLI make

Show HN: I spent a billion tokens bridging Elixir and WebAssembly

Show HN: Smart-commit-rs – A zero-dependency Git commit tool in Rust

Show HN: Valkey-powered semantic memory for Claude Code sessions

Show HN: Audio Toolkit for Agents

Show HN: Logira – eBPF runtime auditing for AI agent runs

Show HN: I built a zero-browser, pure-JS typesetting engine for bit-perfect PDFs

Show HN: PHP 8 disable_functions bypass PoC

Comments