PHP register_globals Is Enabled
Description
The register_globals PHP configuration directive, when enabled, automatically creates global variables from user-supplied data in GET, POST, and COOKIE requests. This feature allows attackers to manipulate application variables by injecting values through HTTP requests, particularly when developers use uninitialized variables. Modern PHP development practices recommend accessing user input exclusively through superglobal arrays ($_GET, $_POST, $_COOKIE) to maintain clear separation between user input and application variables.
Remediation
Disable register_globals immediately by modifying your PHP configuration. This setting has been deprecated since PHP 5.3.0 and removed entirely in PHP 5.4.0.
Method 1: Modify php.ini
Locate your php.ini file and set:
register_globals = Off
Method 2: Use .htaccess (if using Apache with mod_php)
php_flag register_globals Off
Code Review: Audit your application code to ensure all user input is accessed through superglobal arrays ($_GET, $_POST, $_COOKIE, $_REQUEST) rather than relying on automatically created global variables. Initialize all variables before use.
Verification: After making changes, restart your web server and verify the setting is disabled by checking phpinfo() output or creating a test script that confirms register_globals is Off.