Home / Vulnerability Database / PHP : Register globals
PHP
PHP : Register globals
Classification
OWASP Top 10 2013
OWASP Top 10 2017
OWASP Top 10 2021
PCI DSS 4.0
CWE
Overview
Registration of all environment variables, GET and POST requests and the server leads to unpredictable behavior and endangers the application.
The value of register_globals=on means that the application registers globally all variables (environment, GET, POST, cookies, server). In this case, these variables are available in any scope of any PHP program. This encourages programmers to write applications that use the values of the parameters of unknown origin. This leads to unpredictable behavior and endangers the application.
Due to security risks, the function register_globals was removed in PHP 5.4.
References
- OWASP Top 10 2017-A9-Using Components with Known Vulnerabilities
- CWE-473: PHP External Variable Modification
- Configuration - register_globals - owasp.com
- What are register_globals in PHP? - stackoverflow.com
- Why is REGISTER_GLOBALS so bad? - stackoverflow.com
- PHP Programming/Configuration: Register Globals - wikibooks.org
- CWE-1035
CRITICAL
DerScanner Severity Score
Do you want to fix PHP : Register globals in your application?
See also
PHP
PHP : Null salt
PHP
PHP : Empty password
PHP