====== Global Variable Vulnerability ======

Uninitialized global variables may be vulnerable to being overwritten.

Allowing PHP to register variables as globals causes vulnerability. All the POST, GET, COOKIE and SESSION variables become globally available in scripts. It is much easier to replace data by attackers and cause application to show secret data.

===== Exploits =====

  * [[security:attack:global_variable_injection|Global Variable Injection Attack]]

===== Remedy =====

The best solution is to disable [[http://www.php.net/register_globals|register_globals in php.ini]].  It is still possible to access GET, POST, etc. data by using the [[http://www.php.net/variables.predefined|super globals]].  Since PHP 4.2.0, //register globals// have been off by default.

===== Additional Information =====


  * See [[security:web_application_security|web application security]] and [[catalog|security vulnerabilities catalog]].
  * [[http://www.php.net/register_globals|PHP register globals]]
  * [[http://www.zend.com/zend/art/art-sweat4.php|Coding PHP with register_globals Off]]