yes it is/was possible to inject strings to the header this way (slight more complicated than your description above). Actually naviserver/aolserver should sanitize this string in ns_returnredirect, by they don't do this currently. This potential attack is fixed in the oacs-5-8 branch.
many thanks for reporting!
-g