PHP register_globals enabled

Description

When register_globals is enabled, PHP will automatically create variables in the global scope for any value passed in GET, POST or COOKIE. This, combined with the use of variables without initialization, has lead to numerous security vulnerabilities. Since application developers should be aware when accessing tainted user input, it is better practice to access the variables through their respective super globals.

Remediation

You can disable register_globals from php.ini or .htaccess.

php.ini
register_globals = 'off'

.htaccess
php_flag register_globals off

References
Severity
Classification
Tags
  • Configuration