Stefano `wisec` Di Paola has just released a new advisory IE 7 and Firefox Browsers Digest Authentication Request Splitting, basically using the user field an attacker is able to split the request injecting arbitrary chars.
IE 7 and Firefox Browsers Digest Authentication Request Splitting Name IE 7 and Firefox Browsers Digest Authentication Request Splitting Systems Affected Internet Explorer 7.0.5730.11 and FF 2.0.0.3 Severity Medium Vendor http://www.microsoft.com/ & http://www.mozilla.com Advisory http://www.wisec.it/vulns.php?id=11 Authors Stefano `wisec` Di Paola (stefano.dipaola@wisec.it) Discovery Date 20070213 Release Date 20070425 I) Short description Firefox and Internet Explorer are prone to Http Request Splitting when Digest Authentication occurs. If anyone wants to know about HTTP Request Splitting, HTTP Request Splitting attacks are described in various papers and advisories: 1. http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf 2. http://www.webappsec.org/lists/websecurity/arch\ ive/2006-07/msg00069.html 3. http://download2.rapid7.com/r7-0026/ 4. http://www.wisec.it/docs.php?id=4 (About Auto Injection with Req.Split.)
Get the complete paper here: IE 7 and Firefox Browsers Digest Authentication Request Splitting.