Show HN: PHP 8 disable_functions bypass PoC

Published: 3 days ago (March 2, 2026 at 08:12 PM EST)

1 min read

Source: Hacker News

PHP 8 sandbox escape PoC demonstrating a disable_functions bypass on Unix‑like systems.

This exploit leverages a use‑after‑free bug to bypass disable_functions and execute system commands. The exploitation techniques used for leaking heap pointers and obtaining read/write primitives utilize the DateInterval object.

The PoC was tested across multiple standard PHP distributions and common server APIs (CLI, PHP‑FPM, Apache module) and reproduces deterministically.

Affected Versions

PHP 8.2.x
PHP 8.3.x
PHP 8.4.x
PHP 8.5.x

Mitigation / Notes

PHP core is memory‑unsafe, and memory corruption in typical PHP deployments is exploitable. While some PHP memory‑corruption issues and exploitation strategies are publicly known, others are not. Relying on sandboxing mechanisms such as disable_functions for security is wishful thinking.

Disclaimer

The PoC in this repository is provided strictly for educational and research purposes. The author does not endorse or encourage any unauthorized access to systems.

Show HN: PHP 8 disable_functions bypass PoC

Affected Versions

Mitigation / Notes

Disclaimer

Related posts

Police dismantles online gambling ring exploiting Ukrainian women

Dust Specter Targets Iraqi Officials with New SPLITDROP and GHOSTFORM Malware

Cisco flags more SD-WAN flaws as actively exploited in attacks

Europol-Led Operation Takes Down Tycoon 2FA Phishing-as-a-Service Linked to 64,000 Attacks