We will be making a server configuration change related to PHP Register Globals at the date below. If you are NOT using PHP for your website you can disregard this notice. Currently PHP Register Globals is set to ON across our entire network of servers and will be changed to OFF. You will find a mini FAQ regarding this change below.
Change Date: Wednesday October 11, 2006
Why are we making this change?
When Register Globals is ON, you can overwrite variables in PHP scripts by appending them to the URL, e.g. script.php?myvar=42 would define a variable myvar with the value of 42. Depending on how your script works this could be a security risk which was the case with many of the scripts within Fantastcio being hacked/compromised.
An example was Mambo/Joomla scripts being exploited by including the following in the requested URL:
The example above shows how easy it is to call an external script by using the calender component in Jooma to deface the website. PHP has set Register Globals default value to OFF since version 4.2.0 as noted here in the first line: http://us3.php.net/register_globals.
What can happen as a result of this change?
Old/outdated scripts still depending on Register Globals to be ON will have problems as those scripts need Register Globals to be on in order to work.
What can be done to prevent/resolve any problems caused as a result of this change?
Most scripts have dropped the need of Register Globals to be ON or have custom workarounds to this issue. Upgrading to the latest version of the script could possibly resolve any problems caused by this change. We also recommend contacting your script developer if you're unsure to see if Register Globals turned ON is a requirement. Other solutions include:
1- Contacting your script developer to make changes to the script so it does not rely on Register Globals to be enabled.
2- If your scripts need Register Globals enabled for the use of GET/POST/COOKIE variables then you can add the following in the fileheader:
If you need other variables like SERVER use the function extract().
3- If you need Register Globals ON then you can upload a custom php.ini file in your scripts directory to negate this change (this means your scripts will be vulnerable to being exploited). You can find a custom php.ini file at the URL below with Register Globals turned ON. Simply upload it to your scripts directory and name it php.ini to override the change on the server.