PHP register-globals is enabled

By
Jijith Rajan
Published on
02 Jul 2024
4 min read
Vulnerability

In the landscape of web security, keeping your website safe from potential threats is paramount. One often overlooked yet critical aspect is the configuration of your PHP settings.

Among these, the register_globals directive stands out due to its potential to introduce significant security vulnerabilities.

What is register_globals?

The register_globals directive in PHP was designed to automatically populate global variables with data from user input (e.g., GET, POST, and COOKIE data). While this might have seemed convenient in the early days of PHP development, it poses a severe security risk.

Enabling register_globals can lead to unintended variable overwrites and make your application vulnerable to various types of attacks, such as cross-site scripting (XSS) and SQL injection.

The register globals allow an attacker to overwrite variables in a script by simply adding parameters to requests. PHP has this feature disabled by default in PHP 4.2.0 and above.

But there are some hosting servers that still support old PHP versions. There are servers that have set register globals as enabled.

This vulnerability and the use of variables without initialization may lead to many security vulnerabilities. Using register globals makes the application vulnerable to malicious user inputs.

Beagle Security recommends using super globals to access these variables. The register_globals has been removed from PHP version 5.4.0.

What are the impacts when PHP register globals gets enabled?

1. Legacy code issues

  • Code breakage: If your application relies on register_globals, disabling it can cause parts of your code to break. Variables that were previously automatically populated will no longer be available, leading to potential functionality issues.

  • Refactoring required: You may need to refactor your code to explicitly use superglobals for handling user input. This can be time-consuming, especially for large or complex applications.

2. Initial transition effort

  • Testing and debugging: After disabling register_globals, thorough testing is required to identify and fix any issues that arise. Debugging and modifying legacy code can be a meticulous process.

  • Development resources: The transition may require additional development resources to ensure that all parts of the application are updated and functioning correctly without register_globals.

How can you prevent PHP’s register globals when enabled?

PHP’s register_globals directive is a security risk, as it allows for the automatic creation of global variables from GET, POST, Cookie, and other input data. This feature has been deprecated since PHP 4.2.0 and removed entirely as of PHP 5.4.0.

However, if you’re working with an older version of PHP, here are some steps you can take to prevent register_globals from being enabled:

1. Update PHP

The best and most secure approach is to update your PHP version to at least PHP 5.4.0 or later, where register_globals is no longer available.

2. Modify php.ini

If updating PHP is not an option, you can disable register_globals in your php.ini configuration file.

3. Use .htaccess (if using Apache)

For environments where you do not have access to php.ini, you can disable register_globals using a .htaccess file

4. Code-level protection

Even with register_globals disabled, it’s good practice to write secure code by initializing your variables properly and validating/sanitizing all user inputs.

// Unset global variables 
foreach ($_REQUEST as $key => $value) { 
    unset($GLOBALS[$key]); 
}

5. Server configuration

Ensure your server is configured securely by:

  • Using modern, maintained server software.

  • Applying all security patches and updates promptly.

  • Following best security practices for web server configuration.

6. Environment configuration

Check the environment configuration of your web host or server to ensure register_globals cannot be turned on inadvertently:

Create a phpinfo.php file with

<?php phpinfo(); ?>

to check the current configuration.

Remove or disable this file after confirming settings.

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Jijith Rajan
Jijith Rajan
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment