Global Variable Vulnerability

Uninitialized global variables may be vulnerable to being overwritten.

Allowing PHP to register variables as globals causes vulnerability. All the POST, GET, COOKIE and SESSION variables become globally available in scripts. It is much easier to replace data by attackers and cause application to show secret data.

• Global Variable Injection Attack

The best solution is to disable register_globals in php.ini. It is still possible to access GET, POST, etc. data by using the super globals. Since PHP 4.2.0, register globals have been off by default.

• See web application security and security vulnerabilities catalog.
• PHP register globals
• Coding PHP with register_globals Off