PHP super-globals-overwrite
Description
This vulnerability occurs when an application manually emulates PHP's deprecated register_globals feature by iterating through user-controlled input arrays ($_GET, $_POST, $_COOKIE, or $_REQUEST) and creating global variables from their contents. While register_globals has been disabled by default since PHP 4.2.0 and removed entirely in PHP 5.4.0 due to security concerns, some legacy applications still replicate this dangerous behavior by using code that extracts request parameters into the global scope. This practice allows attackers to inject or overwrite arbitrary global variables by manipulating HTTP request parameters, potentially bypassing security controls or altering application logic.
Remediation
Immediately remove any code that automatically converts request parameters into global variables. Search your codebase for patterns like the following and eliminate them:
foreach ($_REQUEST as $key => $val) {
$$key = $val;
}
// Also check for similar patterns with:
foreach ($_GET as $key => $val) { $$key = $val; }
foreach ($_POST as $key => $val) { $$key = $val; }
foreach ($_COOKIE as $key => $val) { $$key = $val; }
extract($_REQUEST); // This function is equally dangerous
Instead, explicitly access input parameters when needed and validate them appropriately:
// Good practice: Explicitly retrieve and validate input
$userId = isset($_POST['user_id']) ? (int)$_POST['user_id'] : null;
if ($userId === null || $userId <= 0) {
// Handle invalid input
}
// Initialize all variables explicitly before use
$isAdmin = false; // Cannot be overwritten by request parameters
Ensure all variables are explicitly initialized before use, especially those controlling security-sensitive operations. Consider enabling strict error reporting during development to catch undefined variable usage. If working with legacy code that cannot be immediately refactored, implement a whitelist approach that only allows specific, validated parameters to be processed.