Show HN: PHP 8 disable_functions bypass PoC
m0x41nos
25 points
8 comments
March 03, 2026
Related Discussions
Found 5 related stories in 777.0ms across 14,015 title embeddings via pgvector HNSW
- Show HN: OpenHack – OSS security scanner, 40x cheaper, on par with Opus 4.6 ananayarora · 12 pts · June 04, 2026 · 48% similar
- Show HN: Sighthound - open-source vulnerability scanner for source code asadeddin · 13 pts · July 09, 2026 · 47% similar
- Show HN: I nerfed our coding agents on purpose noahfradin · 22 pts · June 05, 2026 · 46% similar
- Show HN: PHP-fts – Full-text search engine in pure PHP, no extensions asmodios · 54 pts · May 06, 2026 · 46% similar
- BadHost – CVE-2026-48710 Starlette Host-Header Auth Bypass ylk · 14 pts · May 26, 2026 · 45% similar
Discussion Highlights (4 comments)
altairprime
Tell us more about how you searched for and uncovered this? Do you normally use PHP? What disclosure process did you use?
calvinmorrison
That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox. I think PHP has in the past explicitly stated its not a security feature. There have been a few issues over the years with this. Anyway - good OS security is required anytime you run software! heres one from 6 years ago https://bugs.php.net/bug.php?id=76047
halb
there was a php-only million-rows challenge that was posted here recently. This uaf offers the opportunity for the funniest solution.
turbert
from a quick skim, it looks like the underlying bug is just not handling object resurrection[1] at all (FreeMe adds a reference to $array while its destructor is called). I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature. [1] https://en.wikipedia.org/wiki/Object_resurrection