PHP Object Injection or POI is a vulnerability which enables an attacker to change a PHP object in such a way that the application flow changes, this in turn results in different issues such as remote code execution, directory traversal, and so on.
The main reason responsible for this is user-supplied input getting passed to an unserialize() function call which enables the provided code to be executed. The condition is in fact so dire that the official PHP documentation for unserialize() mentions the following warning:
Do not pass untrusted user input to unserialize(). Unserialization can result in code being loaded and executed due to object instantiation and autoloading, and a malicious user may be able to exploit this.
In PHP, data serialization is used to represent a PHP object or an array into a storable format which can be stored in a flat file, database, and so on. This enables the developer to store complex objects outside the life of the running script and then instantiate the object at a later time or later execution from the stored location like a database. The object simply lives on even after the script’s runtime is over.
The deserialization or instantiation process of a stored object is done by calling unserialize() and serialization is done through serialize().