I wouldn’t be to quick to condem them simply because register_globals is on by default. As they point out, too many applications break when set to off. Also as they rightly point out, it is possible to create scripts that are secure with register_globals set to on, just as it is possible to create insecure scripts even when register_globals is set to off. They have provided me with a local php.ini file and there is no limits placed on what we can do with .htaccess. This is a lot more than many hosts will allow.
However, the have shown me "evidence" of the site being exploited 3 days after I installed 0.9.2.2:
Webserver’s crontab:
<path.to.users.base.directory>/assets/images/lazo/y2kupdate >/dev/null 2>&1
Yep, there in the /assets/images/ directory I found 2 directories that shouldn’t have been there. One named "lazo" and the other named ".zbot". In my haste to restore the site as quickly as possible I did not delete the images directory as it contains a lot of files and directories, and with my current ISP, ftp is flakey at the best of times. The images and templates directories were the only things I retained after the hack and it was stupid of me not to check them more carefully.
They are still labouring under the impression that base_path is the cause of the problem. I have asked them to show me evidence that base_path is used in any script. We’ll see what they can find