The PHP Function Igbinary Unserialize
PHP’s serialize and unserialize functions allow complex data structures to be saved in a string format that handles their type, then later retrieved back into the original form. This is useful for things like storing information in a database, or sending it between web servers. Using these functions however can also lead to some vulnerabilities.
The problem is that when an object is serialized, it doesn’t save any of the methods it implements (for example __wakeup and __destruct). This means that if the class of the serialized object has any magic methods, those methods will be executed automatically when the object is unserialized.
To avoid this, you need to make sure that any internal classes you use to store data or pass it between web servers either implement the Serializable interface, or have magic __wakeup and __destruct methods. If you don’t want to have to add these to all of your classes, you can use a third party library like igbinary to do the work for you.
Igbinary provides a session serialize and unserialize handler that differs from the default php handler in a few ways, but the most important difference is in how the variable names are handled. igbinary’s version of this function prefixes all session variable names by their binary length, which helps to reduce the potential for these names to be escaped and used as an LFI. You can find more details about igbinary_unserialize in its readme.