Security Focus warns PHP functions fopen(), file() and others have a vulnerability that makes it possible to add extra HTTP headers to HTTP queries. Attackers may use it to escape certain restrictions, like what host to access on a web server. In some cases, this vulnerability even opens up for arbitrary net connections, turning some PHP scripts into proxies and open mail relays.
The vulnerability affects 4.1.2, 4.2.2, 4.2.3, and the latest CVS.
A workaround as well as more information on the vulnerability is available on the Security Focus web site.