The mail function in PHP 4.x to 4.2.2 does not filter ASCII control characters from its arguments, which could allow remote attackers to modify mail message content, including mail headers, and possibly use PHP as a “spam proxy.”
ftp://ftp.caldera.com/pub/security/OpenLinux/CSSA-2003-008.0.txt
distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000545
marc.info/?l=bugtraq&m=103011916928204&w=2
marc.info/?l=bugtraq&m=105760591228031&w=2
www.debian.org/security/2002/dsa-168
www.kb.cert.org/vuls/id/410609
www.mandrakesoft.com/security/advisories?name=MDKSA-2003:082
www.novell.com/linux/security/advisories/2002_036_modphp4.html
www.osvdb.org/2160
www.redhat.com/support/errata/RHSA-2002-213.html
www.redhat.com/support/errata/RHSA-2002-214.html
www.redhat.com/support/errata/RHSA-2002-243.html
www.redhat.com/support/errata/RHSA-2002-244.html
www.redhat.com/support/errata/RHSA-2002-248.html
www.redhat.com/support/errata/RHSA-2003-159.html
www.securityfocus.com/bid/5562
exchange.xforce.ibmcloud.com/vulnerabilities/9959