Show HN: PHP 8 disable_functions bypass PoC

altairprime

Tell us more about how you searched for and uncovered this? Do you normally use PHP? What disclosure process did you use?

calvinmorrison

That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox. I think PHP has in the past explicitly stated its not a security feature. There have been a few issues over the years with this. Anyway - good OS security is required anytime you run software! heres one from 6 years ago https://bugs.php.net/bug.php?id=76047

halb

there was a php-only million-rows challenge that was posted here recently. This uaf offers the opportunity for the funniest solution.

turbert

from a quick skim, it looks like the underlying bug is just not handling object resurrection[1] at all (FreeMe adds a reference to $array while its destructor is called). I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature. [1] https://en.wikipedia.org/wiki/Object_resurrection