Code Injection in Signed PHP Archives (Phar)
PHP contains an interesting but rarely used feature called Phar, which stands for PHp ARchive, that allows developers to package entire applications as a single executable file. It also boasts some additional security benefits by signing archives with a digital signature, disallowing the modification of the archives on production machines.
According to the official PHP documentation:
Phar can compress individual files or an entire archive using gzip compression or bzip2 compression and can verify archive integrity automatically through the use of MD5, SHA-1, SHA-256 or SHA-512 signatures….