PHP Object Instantiation attacks are a kind of application security vulnerability in PHP applications. They occur wherever meta-programming is used to instantiate a class from user data. Consider the following example code.
$modelClassname = $_GET['model']; $model = new $modelClassname();
Clearly, whether there is a working attack vector here depends on what classes are available to be instantiated. The worst vulnerabilities will occur where there is a class with a constructor which could be harmful in some way.
In the original Object Instantiation vulnerability in PHP, the report mentioned a Zend Framework version 1 class named
Zend_Amf_Request, which is used for the Flash AMF protocol. It passes POST data to PHP’s serializer, allowing an Object Injection attack on the PHP application. This was used as part of a full end-to-end attack vector on the website being tested.