[原文]CRLF injection vulnerability in mailback.pl in Erik C. Thauvin mailback allows remote attackers to use mailback as a "spam proxy" by modifying mail headers, including recipient e-mail addresses, via newline characters in the Subject field.
Erik Thauvin mailback.pl Subject Line Arbitrary Mail Relay
Remote / Network Access
Loss of Integrity
Erik Thauvin's mailback.pl contains a flaw that may allow a malicious user to inject arbitrary email headers via the user supplied subject, allowing email to be sent to arbitrary recipients. The issue is triggered when a malicious user enters a subject with a newline followed by "CC" and "BCC" headers. It is possible that the flaw may allow spamming and other unauthorized mail relaying resulting in a loss of integrity.
Upgrade to version 1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.