PHP super-globals-overwrite
Description
This vulnerability occurs when an application manually emulates PHP's deprecated register_globals feature by iterating through user-controlled input arrays ($_GET, $_POST, $_COOKIE, or $_REQUEST) and creating global variables from their contents. While register_globals has been disabled by default since PHP 4.2.0 and removed entirely in PHP 5.4.0 due to security concerns, some legacy applications still replicate this dangerous behavior by using code that extracts request parameters into the global scope. This practice allows attackers to inject or overwrite arbitrary global variables by manipulating HTTP request parameters, potentially bypassing security controls or altering application logic.
Remediation
Immediately remove any code that automatically converts request parameters into global variables. Search your codebase for patterns like the following and eliminate them:
foreach ($_REQUEST as $key => $val) {
$$key = $val;
}
// Also check for similar patterns with:
foreach ($_GET as $key => $val) { $$key = $val; }
foreach ($_POST as $key => $val) { $$key = $val; }
foreach ($_COOKIE as $key => $val) { $$key = $val; }
extract($_REQUEST); // This function is equally dangerous
Instead, explicitly access input parameters when needed and validate them appropriately:
// Good practice: Explicitly retrieve and validate input
$userId = isset($_POST['user_id']) ? (int)$_POST['user_id'] : null;
if ($userId === null || $userId