fj_111's post shows why: if you type HTTP_REFERER onto the url and have register_globals enabled you can set it.

This is because HTTP_SERVER_VARS['HTTP_REFERER'] is only set when a referrer exists; that is, when you clicked a link to get to the page. So if you just type in the url, there will be no server HTTP_REFERER, which will allow the HTTP_GET_VARS['HTTP_REFERER'] to actually make it to the script as $HTTP_REFERER.

Kinda confusing but it's an interesting security anomaly.