It is quite amusing how the "safe_mode is flawed by design" green card is nowadays used to deny the seriousness of local PHP vulnerabilities. Just because safe_mode was a bad idea this does not automatically made disable_function a bad idea. And yes disable_function is nearly always used. Admins forbid the usage of all kind of functions like ini_get(), phpinfo(), shell_exec(), popen(), ...

So here comes the challenge. Imagine a PHP 5.2.2 server with ALL builtin functions being disabled. The challenge is to write PHP code that executes any binary inside the /bin directory. According to all those (marketing) people who claim that executing any PHP code is equal to shell access and therefore local vulnerabilities in PHP are irrelevant, this should not be too hard.

Yeah well, I guess all those not yet brainwashed by the marketing departments have already realised that without access to ALL builtin functions it requires a local PHP vulnerability to achieve this otherwise impossible task and therefore I win anyway.