Digest authentication request splitting

ID MFSA2007-31
Type mozilla
Reporter Mozilla Foundation
Modified 2007-10-18T00:00:00


Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a web site. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID followed by the injected header data. If the user were connecting through a proxy the attacker could inject headers that a proxy would interpret as two separate requests for different hosts.