What is it
Also known as HTTP response splitting it is a simple but powerful web attack. CR (Carriage Return) and LF (Line Feed) are two important components of an HTTP response header that tells the browser (and other components in between like proxy servers and caching servers) that the data has been transferred and the connection can be closed.
By inserting CRLF in a response and sending incomplete data, the system / application runs into chaos as the output is not in expected format resulting in unexpected outputs.
How serious is it
CRLF vulnerabilities are usually exploited so that other exploits (proxy server poisoning, cache server poisoning, session hijacking and also web site defacement) can be enabled (also called chained exploits).
The impact of CRLF Injection may result in
The amount of data an attacker can retrieve depends on multiple factors like his creative skills, system design and implementation.
How to prevent
Verify user input. In other words never trust the user. Always sanitize the user input so that any response splitting attack could be stopped.
Implement Secure Software Development Lifecycle (SSDLC)
Secure Coding guidelines although critical form ONLY a piece of the puzzle. In order to ensure that applications are secure, security need to be bolted right from the requirements stage and should extrapolate across every other stage be it Design, Coding, Review, Testing, Release or implementation.