ATutor 2.0.2 (lang) HTTP Response Splitting Vulnerability

Title: ATutor 2.0.2 (lang) HTTP Response Splitting Vulnerability
Advisory ID: ZSL-2011-5037
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 06.08.2011
Summary
ATutor is an Open Source Web-based Learning Content Management System (LCMS) designed with accessibility and adaptability in mind. Educators can quickly assemble, package, and redistribute Web-based instructional content, easily retrieve and import prepackaged content, and conduct their courses online.
Description
Input passed to the 'lang' parameter in '/documentation/index_list.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

--------------------------------------------------------------------------------

/documentation/index_list.php
----------------
1: <?php
2: header('Location: index/index.php?'.$_GET['lang']);
3: exit;
4: ?>

--------------------------------------------------------------------------------

Vendor
ATutor (Inclusive Design Institute) - http://www.atutor.ca
Affected Version
2.0.2 (build r10589)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[03.08.2011] Submited vulnerability details to vendor's bug tracking system.
[05.08.2011] No reaction from vendor.
[06.08.2011] Public security advisory released.
[11.08.2011] Vendor releases fix.
PoC
atutor_httprs.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://atutor.ca/atutor/mantis/view.php?id=4805
[2] http://securityreason.com/wlb_show/WLB-2011080041
[3] http://www.exploit-db.com/exploits/17631/
[4] http://packetstormsecurity.org/files/103765
[5] http://www.securityfocus.com/bid/49057
Changelog
[06.08.2011] - Initial release
[08.08.2011] - Added reference [4] and [5]
[11.08.2011] - Added vendor status.
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk