IMAP Toolkit 2007f on UNIX, as used in imap_open() in PHP and other products, launches an rsh command without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is an untrusted input.
