This vulnerability is caused by the PHP globals problem. http://www.hardened-php.net/globals-problem Not vulnerable: PHP 4.4.1 and up or PHP 5.1.0 and up Fix: add $GLOBALS = array(); to the top of the config file