4 comments

[ 3.2 ms ] story [ 23.1 ms ] thread
Tell us more about how you searched for and uncovered this? Do you normally use PHP? What disclosure process did you use?
That's a nice find. People rely a little heavily on this, and it only says in the manual "This directive allows certain functions to be disabled." but its not a security sandbox.

I think PHP has in the past explicitly stated its not a security feature.

There have been a few issues over the years with this.

Anyway - good OS security is required anytime you run software!

heres one from 6 years ago https://bugs.php.net/bug.php?id=76047

there was a php-only million-rows challenge that was posted here recently. This uaf offers the opportunity for the funniest solution.
from a quick skim, it looks like the underlying bug is just not handling object resurrection[1] at all (FreeMe adds a reference to $array while its destructor is called).

I'm not really familiar with PHP but this seems like a surprising oversight for a popular language. Does PHP just not care about memory corruption? The fact that it is this easy is far more surprising than it being used to circumvent a questionable security feature.

[1] https://en.wikipedia.org/wiki/Object_resurrection