Anchor CMS 0.9.2 Header Injection

`Anchor CMS <= 0.9.2 (Current Version)  
  
header injection  
  
in anchor/models/comment.php  
  
$headers = 'MIME-Version: 1.0' . "\r\n";  
$headers .= 'Content-type: text/html; charset=utf-8' . "\r\n";  
$headers .= 'From: notifications@' . $_SERVER['HTTP_HOST'] . "\r\n";  
  
49: mail($to, __('comments.notify_subject'), $message, $headers);  
  
so it is possible to inject arbitary "From" headers or any header  
using CRLF. simply by tampering and changing the host to bad.com or  
bad.com\r\nNew-Header:Hacked!  
`