php-mail vulnerable to header forgery

An upgrade to 1.1.14 is needed.
You can view the changelog here:
 http://pear.php.net/package/Mail/download/All

Version 1.11.1 is the first fix "We now guard against email injection exploits"
Version 1.1.14 includes the fix, plus a revision to the fix "Fix missing seperation between headers and body in the SMTP driver"

Unfortunately we were blacklisted - by aol. Not good.

This bug also effects the non-pear php mail() function.

Thanks for the report!

This is a public problem, so I've unchecked the private flag. If there are updates for this universe package made available, I'd be happy to help it through the security queues.

It is questionable that this is called a security vulnerability. The responsibility of sanitising the supplied e-mailaddresses is the domain of the person building an application on top of php-mail - blindly accepting any input and passing it on is not secure.

What php-mail does is add an extra layer of protection which is a good security *feature* but in my opinion not a bug in previous versions. Similarly you could state that the 'sendmail' command is buggy because it accepts random Bcc headers.

In any case, the new version is in Intrepid, so fix released.