March 2, 2026

When “off” means “not really”

Article URL →HN comments →

Show HN: PHP 8 disable_functions bypass PoC

Hacker demo shows PHP’s “off switch” isn’t safe; comments split between “told you so” and “uh oh”

TLDR: A researcher showed a working demo that bypasses PHP’s “disable functions,” letting commands run anyway across popular PHP 8 versions. Commenters split between “this was never security” and alarm, with jokes, finger‑wagging, and calls for real OS-level sandboxing taking center stage.

A new Show HN dropped a bomb: a proof‑of‑concept PoC shows how to slip past PHP’s “disable functions” safety setting and still run system commands. The trick uses a memory bug (a use‑after‑free) and a DateInterval object to escape the sandbox across PHP 8.2 through 8.5—and it works reliably in common setups.

Cue the comments going nuclear. The top vibe? “This was never a security feature.” One user, matter‑of‑fact and a little smug, reminds everyone that the manual never promised a fortress—just a way to turn off certain functions. The sysadmin crowd chimed in with “lock your OS down, stop relying on PHP settings,” while others were floored that something this basic slipped through in such a popular language. One incredulous voice asked if PHP “just doesn’t care about memory corruption,” sparking a chorus of anxious nods and the inevitable “rewrite it in Rust” quips.

Not all reactions were doom and gloom—someone joked this bug could deliver the “funniest solution” to a recent PHP-only million-rows challenge, and the thread erupted in gallows humor. Meanwhile, the responsible disclosure crowd pressed for details on how the researcher found it and reported it. In short: half the room is saying “we warned you,” the other half is sweating—and everyone agrees you need real OS sandboxing, not wishful checkboxes.

Key Points

  • A PoC named TimeAfterFree demonstrates a bypass of PHP’s disable_functions on Unix-like systems.
  • The exploit uses a use-after-free vulnerability to execute system commands.
  • Exploitation techniques leverage PHP’s DateInterval object to leak heap pointers and gain read/write primitives.
  • The PoC reproduces deterministically across PHP CLI, PHP-FPM, and the Apache module on multiple standard distributions.
  • Affected versions are PHP 8.2.x through 8.5.x, and the article cautions that disable_functions is not a reliable security boundary.

Hottest takes

"People rely a little heavily on this ... it's not a security sandbox" — calvinmorrison
"This uaf offers the opportunity for the funniest solution" — halb
"Does PHP just not care about memory corruption?" — turbert

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.