PHP register-globals is enabled

OWASP 2013-A5 OWASP 2017-A6 OWASP 2021-A5 CWE-16 WASC-13

The register globals allow an attacker to overwrite variables in a script by simply adding parameters to requests. PHP has this feature disabled by default in PHP 4.2.0 and above. But, there are some hosting servers that still support old PHP versions. There are servers that have set register globals as enabled. When register_globals is enabled, PHP will automatically create variables in the global scope and any values can be passed through GET, POST or COOKIE to these variables. This vulnerability along with the use of variables without initialisation may lead to numerous security vulnerabilities. Using register globals makes the application vulnerable to malicious user inputs. So Beagle recommends using super globals to access these variables. The register_globals has been removed from PHP version 5.4.0.


The attacker uses a .htacess file to hide malware and redirect search engines to their own malicious page.

Mitigation / Precaution

beagle recommends the following fixes:-

  • If the application runs on PHP 4.1.0 or below, update PHP to the latest version.
  • If updating PHP is a no go for the application, then set register_globals as off in php.ini or htaccess.


        php_flag register_globals off



        register_globals = 'off'


Latest Articles