A method has been published in the PHP interpreter for bypassing restrictions set using the disable_functions directive and other settings in php.ini. Recall that the disable_functions directive makes it possible to prohibit the use of certain internal functions in scripts, for example, you can prohibit "system, exec, passthru, popen, proc_open and shell_exec" to block calls to external programs or fopen to prohibit opening files.
It is noteworthy that the proposed exploit uses a vulnerability that was reported to PHP developers over 10 years ago, but they considered it a minor problem that does not affect security. The proposed attack method is based on changing the values ββof parameters in the process memory and works in all current releases of PHP, starting with PHP 7.0 (the attack is also possible on PHP 5.x, but this requires changes to the exploit). The exploit has been tested on various Debian, Ubuntu, CentOS and FreeBSD configurations with PHP in the form of a cli, fpm and an apache2 module.
Source: opennet.ru