I have a strong disagreement on this with you. a webhost is not responsible for this kinda hack. sue yourself and sue your programmer who made the site and sue the hacker of course :)

sue yourself because why did you buy hosting package from such webhost? and by the way this thing remains on even on dreamhost which is a very popular hosting company.

the register_globals remains off from, i am not sure, php 4.4.x by default. your programmer must have checked this security issue and could have used functions like ini_set or htaccess to switch of globals for your script life time to make it secure.

btw how do you know your site has been hacked due to register_globals on issue?

There must come a point where it is reasonable to assume that things like this, clear security precautions, have been taken. The very fact that you are selling your services as a commercial webhosting company must imply a warranty that you have both studied and implemented security warnings and recommendations released by the software your webserver runs.

I protect scripts I release by making them refuse to run where register_globals is set to 'on' however I believe I am in the minority. I've seen recently released popular commercial code which is wide-open to hacking if installed with register_globals 'on'.

To me, it is the responsibility of a webhost to apply all security-related patches and recommendations promptly, in just the same way that I expect an airline to maintain their planes and follow safety procedures. Just because I don't personally inspect the engines and cockpit equipment of a plane before using it, it doesn't mean that I become liable for any deficiencies found there.

So - I believe that register_globals does need to be off and any host who has it 'on' by default is negligent and deserves to be sued!

if you go out for dining to a hotel of 'your choice' then do you see the menu card and then place an order or just tell waiter to bring whatever they have because the hotel is of 'your choice' and it is commercial?

you do choose what you want to eat!

a webhost deals with hundreds and sometimes thousands of customers, how many of they have secure and highly rated applications like yours? the percentage is very low. most of them are basic developers or just get a newbie to develop them some networking site or advertising site or one page websites which is very famous now-a-days. they do not care about register_globals on or off status.

I had been asked once to move a very huge auctions portal from a webhost to the dedicated server of the client, when I moved all the application crashed because that application was written by keeping register_globals On, then I switched on the option and it started to work. so a webhost cannot make happy one customer they adopt the most general configuration policy to keep most of the customers happy.

Also you always have the option to play with php.ini with htaccess or functions like ini_set() so you always have the power ( to order food of your choice ) to control the behavior of your scripts for their life time.

I do not think that FOR THIS REGISTER_GLOBALS ON OR OFF issue any host should be sued.

Isn't it supposed to be "default" in newer releases?
(I could be wrong)
Isn’t it the responsibility of the programmer to write scripts that works with “off” mode

I believe that many problems arise from D-loaded and installed scripts by “coders”
that won’t understand how it works.
Like “I need an authentication script”; G for it, grab the first one and you know the rest of the story…

Too many unaware users consider PHP and MySQL as MS tools Grab, Install, Done!
Without realizing where the power is and that it could be used both ways: Serving you or betraying you