Acunetix 360 detected that the register_globals directive is enabled.


When the register_globals directive is enabled, PHP will create a global variable out of each key-value pair supplied via GET and POST or as a cookie. This can lead to a variety of unforeseen problems if variables are used without prior initialization. The impact strongly depends on the respective application code but may range from sensitive information disclosure to code execution.

In general, this configuration setting has the potential to lead to critical issues. While it is helpful for an attacker to view the actual application code, in many cases, it's not required for successful exploitation. It is, therefore, strongly advised to disable this configuration option.

Actions To Take

To disable register_globals, you can set it to 'off' in the php.ini configuration file or alternatively in .htaccess.

  • php.ini:
    register_globals = 'off'
  • .htaccess:
    php_flag register_globals off

It is worth mentioning that register_globals has been removed in PHP 5.4.0 - a PHP version that has already reached its end of life. So, there are no security updates provided anymore. By updating PHP to a supported version, this issue should automatically be resolved, in case there is no register_globals polyfill provided by the application. 




CWE-473 OWASP 2013-A5 OWASP 2017-A6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N