PHP register_globals Is Enabled

Severity: Medium

Invicti detected that the register_globals directive is enabled.


When the register_globals directive is enabled, PHP will create a global variable out of each key-value pair supplied via GET and POST or as a cookie. This can lead to a variety of unforeseen problems if variables are used without prior initialization. The impact strongly depends on the respective application code but may range from sensitive information disclosure to code execution.

In general, this configuration setting has the potential to lead to critical issues. While it is helpful for an attacker to view the actual application code, in many cases, it's not required for successful exploitation. It is, therefore, strongly advised to disable this configuration option.

Actions To Take#

To disable register_globals, you can set it to 'off' in the php.ini configuration file or alternatively in .htaccess.

  • php.ini:
    register_globals = 'off'
  • .htaccess:
    php_flag register_globals off

It is worth mentioning that register_globals has been removed in PHP 5.4.0 - a PHP version that has already reached its end of life. So, there are no security updates provided anymore. By updating PHP to a supported version, this issue should automatically be resolved, in case there is no register_globals polyfill provided by the application. 

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works