Input Validation Error Medium HTTP header injection vulnerabilities allow for attackers to forge request responses from servers. Attackers may be able to poison the caches of caching HTTP proxies. Some languages/platforms offer some protection against this class of attacks. On versions of PHP4.4 and later, the header() function will only send one header at a time. If a safe function is not found, the externally supplied data used in header fields must have newlines sanitized before inclusion in the response header. HTTP Header injection vulnerabilities can occur when an application or server uses externally supplied input to construct the headers in the HTTP response. This can be a vulnerability in environments where multiple hosts are accessing HTTP servers through a proxy. Forged HTTP responses can be used to poison proxy caches. HTTP Header Injection (Wikipedia) HTTP Response Splitting HTTP Request Smuggling