fj_111's post shows why: if you type HTTP_REFERER onto the url and have register_globals enabled you can set it.
This is because HTTP_SERVER_VARS['HTTP_REFERER'] is only set when a referrer exists; that is, when you clicked a link to get to the page. So if you just type in the url, there will be no server HTTP_REFERER, which will allow the HTTP_GET_VARS['HTTP_REFERER'] to actually make it to the script as $HTTP_REFERER.
Kinda confusing but it's an interesting security anomaly.
I understand now, HTTP_REFERER is a bit different from the rest, since it is only available when it is actually set.
I think I am slowly getting what you are saying.
Just to confirm my php.ini had the following values:
variables_order = "EGPCS"
register_globals = On
track_vars = On
I did not just type in the url "test2.php", instead I clicked the link in "test1.html"
So from what anarchos says HTTP_REFERER exists (is set), therefore HTTP_SERVER_VARS should have overwritten whatever a (malicious?) user might have added.
Is this because I am testing my files on localhost, maybe this prevents HTTP_REFERER to be set in the first place so that HTTP_SERVER_VARS doesn't overwrite it?
Best solution to me seems to set register_globals to "Off" or does that cause any other security problems I don't know of?
No, it's not because you're running it on localhost, PHP can't tell the difference. And yes, turning register_globals off will help significantly with security.