The principle is simple. When user input is used in different contexts, they mean different things. Html code means nothing in a pure ascii file. Sql commands mean nothing in a C compiler. And javascript means nothing in photshop. But if the right kind of meta characters are used in a spesific context, they can be highly dangerous.
One example of this is sql injections. Characters like ' and -- suddenly have a big impact on the query.
The metacharacter in email header injections is the line feed, 'n', 0x0a, or 10 in decimal. Urlencoded it is %0a. This is because the newline separates headers in emails. Here is an example of an email;
To: [email protected]
Subject: Hello
From: [email protected]
Hi,
Your site is great.
ByeWhen an attacker can change data which goes into headers, he can simply add a newline and put in whatever headers he may prefer.
An example of injecting a header in the "From" field;
[email protected]%0ACcc: [email protected]The resulting email will look like this:
To: [email protected]
Subject: Hello
From: [email protected]
Cc: [email protected]
Hi,
Your site is great.
ByeWhich fill fire off a blind carbon copy to [email protected].
This technique is used by spammers to spread their spam. The spammers construct very specific header injections, which will change the subject and the body.
prevention
A simple blacklist approach where you strip away all newlines may seem viable. But for maximum security, one should also account for unknown attacks. The best solution would be a regular expression which checks for valid email adresses.