[This was originally published on the OSVDB blog.]
Last month, Watchfire released a new paper describing “HTTP Request Smuggling” attacks. Since the release of this paper, many products have been found prone to such attacks. Some of these include SunONE Web Server, Oracle Application Server Web Server, IBM WebSphere, BEA WebLogic, Tomcat, Microsoft Internet Information Server, DeleGate Proxy, Sun Java System Web Proxy Server, Squid and Apache. This may qualify as the most recent class of vulnerability discovered and could prove interesting over the next few months as vendors scramble to diagnose their products.