hope someone can help:
after installing v1.6 RC4, i was prompted to set Register Globals to OFF if not used. Since setting to OFF usually requires some Server Admin intervention, my question is:
Q. i've seen some internet forum postings dtd 2005 which point out security vulnerabilities of v1.3 & earlier. Are all existing known security threats already addressed in v1.6 RC4 and that setting register globals to OFF is for additional assurance for threats not yet discovered?

thanks!

Since nobody answer this question, let me to be honest. I am not sure whether all security threats already addressed in v1.6 RC4, cause I have not tested whether any security-hole still be opened or not.

Basically, set register_global directive to OFF is recommended. At least, this is what php.ini said:

You should do your best to write your scripts so that they do not require register_globals to be on. Using form variables as globals can easily lead to possible security problems, if the code is not very well thought of.


Best regards,
Masino Sinaga