After reading a blog post about a “PHP object injection” vulnerability in Joomla, I dug a bit deeper and found Stefan Esser’s slides of the 2010 BlackHat conference, which showed that PHP’s
unserialize() function can give rise to vulnerabilities when supplied user-generated content.
So basically, the
unserialize() function takes a string that represents a serialized value, and unserializes (hence the name) it to a PHP value. This value can be any type, except the resource type (i.e. integer, double, string, array, boolean, object, NULL). When the function is given a user-generated string, this may result in memory leak vulnerabilities in some (older) PHP versions.
However, this will not be the focus of this blog post. If you want to learn more about this, you can refer to the aforementioned BlackHat slides.