PHP register_globals enabled
Description
The register_globals directive, when enabled in PHP, automatically creates global variables from user-supplied data in GET, POST, and COOKIE requests. This feature allows attackers to inject or manipulate variables that developers may assume are safely initialized, leading to security vulnerabilities such as authentication bypasses, data manipulation, and unauthorized access. While deprecated since PHP 5.3.0 and removed in PHP 5.4.0, legacy applications may still have this setting enabled.
Remediation
Disable the register_globals directive immediately and update your application code to use PHP superglobal arrays instead. Follow these steps:
Step 1: Disable register_globals
In php.ini:
register_globals = Off
In .htaccess (if using Apache with mod_php):
php_flag register_globals Off
Step 2: Update Application Code
Replace direct variable access with superglobal arrays:
// Vulnerable code (relies on register_globals)
if ($authenticated) {
// Grant access
}
// Secure code (explicit superglobal access)
if (isset($_SESSION['authenticated']) && $_SESSION['authenticated'] === true) {
// Grant access
}Step 3: Initialize Variables
Always initialize variables before use and validate all user input:
// Initialize with default values
$user_role = 'guest';
// Validate and sanitize input
if (isset($_POST['username'])) {
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
}Step 4: Restart Web Server
After making configuration changes, restart your web server (Apache/Nginx) to apply the new settings. Consider upgrading to a modern PHP version (7.4+ or 8.x) where this feature no longer exists.