Mantis: register_globals Again

Yet another set of vulnerabilities have been discovered with PHP and register_globals. More details can be found at

Mantis has not required this setting to be on since version 0.18. The system check also flags it as a questionable practice.

If you are on a hosted site, or have applications that require this setting, you may not have complete control over this. You can, however, set this on a per directory basis, if you are using Apache. If you create a .htaccess file in your Mantis directory with the following content, the setting can be altered.

php_flag register_globals 0

Note that the directory's entry in httpd.conf MUST contain "AllowOverride All" or at least "AllowOverride Options" to read PHP settings from the .htaccess file.

Copyright 2006, Logical Outcome Ltd.