Archive for the ‘LFI’ Category

(evil) Register Globals (on)

The register_globals directive is enabled (register_globals = On) by default in PHP versions 4.2.0 and greater in the php config (php.ini). While it doesn’t represent a security vulnerability, it’s a security risk.

Why is it a security risk? Let’s look at this example:

Continue reading