Back

PHP register-globals is enabled

By
Jijith Rajan
Published on
02 Jul 2018
1 min read

The register globals allow an attacker to overwrite variables in a script by simply adding parameters to requests. PHP has this feature disabled by default in PHP 4.2.0 and above. But, there are some hosting servers that still support old PHP versions. There are servers that have set register globals as enabled. When register_globals is enabled, PHP will automatically create variables in the global scope and any values can be passed through GET, POST or COOKIE to these variables. This vulnerability along with the use of variables without initialisation may lead to numerous security vulnerabilities. Using register globals makes the application vulnerable to malicious user inputs. So Beagle recommends using super globals to access these variables. The register_globals has been removed from PHP version 5.4.0.

Impact

The attacker uses a .htacess file to hide malware and redirect search engines to their own malicious page.

Mitigation / Precaution

beagle recommends the following fixes:-

  • If the application runs on PHP 4.1.0 or below, update PHP to the latest version.
  • If updating PHP is a no go for the application, then set register_globals as off in php.ini or htaccess.

.htaccess

        php_flag register_globals off

php.ini

        register_globals = 'off'
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.
Product tour
Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.
Product tour