The fourth parameter to PHP's mail() function contains the additional

mail headers that PHP doesn't have a special parameter for. In this

case, it's used to add From and Reply-To headers. When PHP-Nuke

constructs the value for this parameter, it doesn't check the form

data it's using for CR and LF characters. As a result, an attacker

can supply extra mail headers and even an extra mail body, and they

will be included in the mail between the real headers and the real

body. This is done by simply including CR and LF characters in the

form data field that contains your e-mail address. If the attacker

includes an HTML message ending with a "<!--" tag or a

"<font color='something'>" tag that sets the foreground colour to

the background colour, the real mail body will not be shown in

many programs.