[darkerstar]

PHP mail() Function Lets Remote Users Inject E-mail Headers

A flaw was discovered in the way PHP's mail() function processed header
data. If a script sent mail using a Subject header containing a string from
an untrusted source, a remote attacker could send bulk e-mail to unintended
recipients. (CVE-2007-1718)

See http://securitytracker.com/alerts/2007/Apr/1017947.html

[UnrealEd]

this bug is known for a very longtime

[mab]

The information in that link is out of date, despite the recent date it has on it. It basically shows upgrading to PHP 5.1.6. However, that recommendation is not even current. The current version of PHP is 5.2.1. In fact that link is only reposting information from another source.

I guess the recommendation would be to not post information you happen to come across, unless you have first hand knowledge of its relevance and accuracy or it is information that you researched yourself and you are the source of the information. Posting second hand/third hand, unverified information, is not helpful. Research things yourself, instead of taking it at face value.

[Keith]

Properly validate and format your freaking input and you have nothing to worry about. Lazy programmers want everything handled for them.

[wirehopper]

Check for to:, cc:, and bcc: in the input, or if you're really lazy - just reject any input with a colon.