CVE-2007-1718

Name of the Vulnerable Software and Affected Versions: PHP versions 4.0.0 through 4.4.6 PHP versions 5.0.0 through 5.2.1

Description: A CRLF injection issue in the mail function allows remote attackers to inject arbitrary e-mail headers, possibly leading to spam attacks. This is achieved by including a control character immediately following the folding of the Subject or To parameter, such as a sequence like r t . The issue is related to an increment bug in the SKIP LONG HEADER SEP macro.

Recommendations: For PHP versions 4.0.0 through 4.4.6, update to a version outside of this range to resolve the issue. For PHP versions 5.0.0 through 5.2.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider validating and sanitizing the Subject and To parameters in the mail function to prevent CRLF injection attacks.