ush.it - a beautiful place

IE 7 and Firefox Digest Authentication Request Splitting

April 25, 2007 at 4:50 pm - Filed under Insecurity, Language EN - 204 words, reading time ~0 minutes - Permalink - Comments

Stefano `wisec` Di Paola has just released a new advisory IE 7 and Firefox Browsers Digest Authentication Request Splitting, basically using the user field an attacker is able to split the request injecting arbitrary chars.

IE 7 and Firefox Browsers Digest Authentication Request Splitting

 Name              IE 7 and Firefox Browsers Digest Authentication
 		   Request Splitting
 Systems Affected  Internet Explorer 7.0.5730.11 and FF 2.0.0.3
 Severity          Medium
 Vendor            http://www.microsoft.com/ & http://www.mozilla.com
 Advisory          http://www.wisec.it/vulns.php?id=11
 Authors           Stefano `wisec` Di Paola (stefano.dipaola@wisec.it)
 Discovery Date    20070213
 Release Date      20070425

I) Short description

Firefox and Internet Explorer are prone to Http Request Splitting when
Digest Authentication occurs. If anyone wants to know about HTTP Request
Splitting, HTTP Request Splitting attacks are described in various
papers and advisories:

1. http://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf
2. http://www.webappsec.org/lists/websecurity/arch\
   ive/2006-07/msg00069.html
3. http://download2.rapid7.com/r7-0026/
4. http://www.wisec.it/docs.php?id=4 (About Auto Injection
   with Req.Split.)

Get the complete paper here: IE 7 and Firefox Browsers Digest Authentication Request Splitting.

THP USH Wisec DigitalBullets