PHP allows the use of external entities while parsing SOAP wsdl files, which allows an attacker to read arbitrary files. If a web application unserializes user-supplied data and tries to execute any method of it, an attacker can send a serialized SoapClient object initialized in non-wsdl mode, which will make PHP automatically parse the remote XML-document that is specified in the location option parameter. (
CVE-2013-1643
)
Impact
An attacker may be able to read arbitrary files on an affected system.