Attackers use newline characters ( \r\n or %0A%0D ) to "break out" of the intended field and insert their own SMTP headers.
In some configurations, this leads to the server executing unintended commands. Anatomy of the V3.1 Exploit php email form validation - v3.1 exploit
$to = "admin@site.com"; $subject = $_POST['subject']; // Vulnerable point $message = $_POST['message']; $headers = "From: " . $_POST['email']; // Vulnerable point mail($to, $subject, $message, $headers); Use code with caution. 3. The Execution Attackers use newline characters ( \r\n or %0A%0D
The server interprets the %0A as a line break, creating a new header line. The mail server now sees a valid Cc or Bcc instruction, sending the message to thousands of unauthorized recipients using your server's reputation. Beyond Spam: Escalating to RCE $subject = $_POST['subject']