added a comment - - edited
I continue thinking the above exploit example is unable to inject anything into $CFG->dirroot at all, hence, the shell cannot be executed. Or the guy is hiding info, or it's some bug in PHP 4.4.x (causing the $CFG injection to happen), or it's simply fake).
I really cannot guarantee that it's impossible to inject object attributes via register_globals, although I haven't been able to find any information about that.
In any case, I think the MOODLE_INTERNAL trick will help to cut any real/potential exploit in those scripts. So +1 for that.
In the other side, I just did a quick search for requires/includes not using CFG at all:
egrep -rn '(include|require)_once\(\$' * | grep -v CFG
and found a bunch of them (aprox 100). IMO we should check all them are properly checked/initialized variables (non-usurpable by register_globals at all).
PS: register_globals() is evil, evil, evil! Impossible to protect all the stuff from it being enabled.