PHP is increasingly becoming a security dump:
Not always does disabling register_globals in PHP increase security. Sometimes this opens up a vulnerability. This is also the case with the Content Management System Mambo, which, according to a posting on the security mailing list Full Disclosure, contains a vulnerability that allows attackers to execute their own code on the server.
This is certainly due to the fact that there is hardly any language - apart perhaps from Perl - that carries as much cruft as PHP. The result shows itself again and again in esoteric problems that even catch people who should be prepared for such things based on their experience.