This script is possibly vulnerable to CRLF injection attacks.
HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response.
- You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers.
- CRLF injection/HTTP response splitting
- WordPress Plugin Cimy Counter HTTP Response Splitting and Cross-Site Scripting Vulnerabilities (0.9.4)
- Drupal Core 4.7.x HTTP Response Splitting (4.7.0 - 4.7.7)
- Drupal Core 5.x HTTP Response Splitting (5.0 - 5.2)
- WordPress 'wp-login.php' HTTP Response Splitting Vulnerability (1.2 - 1.2)