Uninitialized global variables may be vulnerable to being overwritten.
Allowing PHP to register variables as globals causes vulnerability. All the POST, GET, COOKIE and SESSION variables become globally available in scripts. It is much easier to replace data by attackers and cause application to show secret data.
The best solution is to disable register_globals in php.ini. It is still possible to access GET, POST, etc. data by using the super globals. Since PHP 4.2.0, register globals have been off by default.