PHP Object Injection
PHP Object Injection or POI is a vulnerability which allows an attacker to modify a PHP object in such a way that the application flow changes, this in turn results in different outcomes such as remote code execution, directory traversal, and so on. The main culprit responsible for this is user-supplied input getting passed to an unserialize() function call which allows the supplied code to be executed. The situation is in fact so dire that the official PHP documentation for unserialize() mentions the following warning:
Note
Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.
In PHP, data serialization is used to represent a PHP object or an array into a storable format which can be saved into a flat file, database, and so on. This allows the developer to store complex objects outside the life of the running script and...
