A security vulnerability in the way certain PHP scripts handle incoming URLs allows attackers to cause it to display malicious HTML and JavaScript code as if it were its own. The following is a theoretical example.
Credit:
The information has been provided by Matthew Murphy.
PHP's header() function is used to modify HTTP header information by specifying a header line, such as this:
<?php header("Location: http://www.yahoo.com/"); ?>
It is commonplace to see things such as this: --- REDIR.PHP ---
<?php header("Location: $_GET['$url']"); ?>
--- REDIR.PHP ---
<SCR!PT>alert(document.cookie)</SCRIPT><!--} <-- See our code in between the brackets
Content-type: text/html
The HTML produced is "broken" -- that is, it does not comply to RFC standards, because it does not have a "-->" tag. Matthew did this to suppress the "Content-type" header that PHP was dumping in the response.
By using this, attackers can perform cross-site scripting attacks or initiate downloads, in rare cases (via HTTP headers, such as content-dispostion, etc.)
