The biggest danger I am aware of with register_globals is if you use global variables that are not from external sources in your code, in which case I understand there to be some possibility for an attacker to change those values by submitting an extra GET or POST variable.

It seems to me that there must be more to it than that, though, since I would think that would be mostly taken care of by simply initializing variables from external sources first, and then allowing the script to over-write them. (Which would still leave you open to attack if the logic of your code ever branched on whether a particular global variable was defined or not.)

I'm not sure what other issues there are. I recall that a while ago I sat down and thought a lot of it through and reached teh conclusion that writing secure code when register_globals was on was much harder than turning it off and updating my scripts. Since I run my own servers, that's what I did. Writing secure code is still complicated, confusing, and prone to errors, but at least that's one category of problems I eliminated.