University of Washington IMAP Toolkit 2007f on UNIX, as used in imap_open in PHP and other products, launches an rsh command without preventing argument injection, which might allow remote attackers to execute arbitrary OS commands if the IMAP server name is untrusted input and if rsh has been replaced by a program with different argument semantics. For example, if rsh is a link to ssh , then the attack can use an IMAP server name containing a "-oProxyCommand" argument.