PHP mail() Function Lets Remote Users Inject E-mail Headers
Tuesday, April 24th, 2007A vulnerability was reported in PHP in the mail() function. A remote user can inject e-mail headersThe mail() function does not properly process folded mail headers. A remote user can exploit this to inject e-mail headers into the ‘To’ and ‘Subject’ parameters.
…
A flaw was discovered in the way PHP’s mail() function processed header
data. If a script sent mail using a Subject header containing a string from
an untrusted source, a remote attacker could send bulk e-mail to unintended
recipients. (CVE-2007-1718)
…
See http://securitytracker.com/alerts/2007/Apr/1017946.htmlStefan Esser discovered this vulnerability.
The original advisory is available at: http://www.php-security.org/MOPB/MOPB-34-20 07.html
