Invicti detected that the
register_globals directive is enabled.
register_globals directive is enabled, PHP will create a global variable out of each key-value pair supplied via GET and POST or as a cookie. This can lead to a variety of unforeseen problems if variables are used without prior initialization. The impact strongly depends on the respective application code but may range from sensitive information disclosure to code execution.
In general, this configuration setting has the potential to lead to critical issues. While it is helpful for an attacker to view the actual application code, in many cases, it's not required for successful exploitation. It is, therefore, strongly advised to disable this configuration option.
register_globals, you can set it to 'off' in the
php.ini configuration file or alternatively in
register_globals = 'off'
php_flag register_globals off
It is worth mentioning that
register_globals has been removed in PHP 5.4.0 - a PHP version that has already reached its end of life. So, there are no security updates provided anymore. By updating PHP to a supported version, this issue should automatically be resolved, in case there is no
register_globals polyfill provided by the application.