Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability

Title: Toko Lite CMS 1.5.2 (edit.php) HTTP Response Splitting Vulnerability
Advisory ID: ZSL-2011-5048
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 19.09.2011
Summary
Toko Web Content Editor cms is a compact, multi language, open source web editor and content management system (CMS). It is advanced easy to use yet fully featured program that can be integrated with any existing site. It takes 2 minuets to install even for non technical users.
Description
Input passed to the 'charSet' parameter in 'edit.php' is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.

--------------------------------------------------------------------------------

/edit.php
----------------
3: $charSet = "iso-8859-1";
4: $dir = "ltr";
5:
6: if ( isset( $_POST[ "charSet" ] ) )
7: {
8: $charSet = $_POST[ "charSet" ];
9:
10: if ( $charSet == "windows-1255" )
11: {
12: $dir = "rtl";
13: }
14: }
15:
16: header( "Content-Type: text/html; charset=" . $charSet );

--------------------------------------------------------------------------------

Vendor
Toko - http://toko-contenteditor.pageil.net
Affected Version
1.5.2
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
N/A
PoC
tokocms_crlf.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/17859/
[2] http://packetstormsecurity.org/files/105218
[3] http://www.securityfocus.com/bid/49673
[4] http://1337day.com/exploits/16939
[5] http://securityreason.com/wlb_show/WLB-2011090085
[6] http://securityreason.com/exploitalert/10843
[7] http://xforce.iss.net/xforce/xfdb/69902
Changelog
[19.09.2011] - Initial release
[20.09.2011] - Added reference [3], [4], [5], [6] and [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk