You are here: Known Vulnerabilities in Mozilla Products (Firefox 184.108.40.206) > MFSA 2007-31
Mozilla Foundation Security Advisory 2007-31
Title: Digest authentication request splitting
Announced: October 18, 2007
Reporter: Stefano Di Paola
Products: Firefox, SeaMonkey
Fixed in: Firefox 220.127.116.11
Security researcher Stefano Di Paola reported that Firefox did not properly validate the user ID when making an HTTP request using Digest Authentication to log into a web site. A malicious page could abuse this to inject arbitrary HTTP headers by including a newline character in the user ID followed by the injected header data. If the user were connecting through a proxy the attacker could inject headers that a proxy would interpret as two separate requests for different hosts.