The expert discovered that an attacker can use low-risk functions against Phar archives to trigger deserialization attack without requiring the use of unserialize() function. Phar archives are similar to Java JAR archives but are specific for PHP applications. A Phar application or library could be distributed in a single file.

Phar files include metadata in a serialized format. The data is unserialized for every file operation function (fopen, file_exists, file_get_contents, etc.) on the archive file.

“Typically, these archives are used to hold self-extracting or self-contained applications, in the same

way that a Jar archive can be executed a Phar archive contains an executable stub containing PHP

code. To get to the crux of the issue at hand, Phar archives can also contain meta-data, and:

“Meta-data can be any PHP variable that can be serialized.” wrote Thomas.

This meta-data is unserialized when a Phar archive is first accessed by any(!) file operation. This

opens the door to unserialization attacks whenever a file operation occurs on a path whose

beginning is controlled by an attacker. This is true for both direct file operations (such as

“file_exists”) and indirect operations such as those that occur during external entity processing

within XML (i.e. when an XXE vulnerability is being exploited).”