Exploiting an 'Unexploitable' SquirrelMail Bug for File Disclosure

If you read most introductory material on exploiting PHP unserialize() calls, you find the same basic pattern: find a call to unserialize() that takes user input, then find an object available that uses a magic method, instantiate one of these objects and use it to start calling other code until you can do something bad. But what if you find such a call in an application that doesn’t have any magic methods available?