We describe a new web entity attack technique – “HTTP Request
Smuggling”. The attack technique and the derived attacks are relevant
to most web environments and is the result of a HTTP server or
device’s failure to properly handle malformed inbound HTTP requests.
HTTP Request Smuggling works by taking advantage of the discrepancies
in parsing when one or more HTTP devices/entities (e.g. Cache Server,
Proxy Server, Web Application Firewall, etc.) are in the data flow
between the user and the web server. HTTP Request Smuggling enables
various attacks – web cache poisoning, session hijacking, cross-site
scripting and most serious the ability to bypass web application
firewall protection. HTTP Request Smuggling sends multiple
specially-crafted HTTP requests that cause the two attacked entities
to see two different sets of requests, allowing the hacker to smuggle
a request to one device without the other device being aware of it. In
the Web Cache poisoning attack, this smuggled request will trick the
cache server into unintendedly associating a URL to another URL’s page
(content), and caching this content for the URL. In the Web
Application Firewall attack the smuggled request could be a worm (like
Nimda or Code Red) or buffer overflow attack targeting the web server.
Finally, because HTTP Request Smuggling enables the attacker to insert
or sneak a request into the flow it allows the attacker to manipulate
the web server’s request/response sequencing which can allow for
credential hijacking and other malicious outcomes."
Thank you,
*Ory Segal
*/Director of Security Research/
Watchfire (Israel) LTD.
Full Article

All rather interesting if you have a vulnerable combination of systems. Worse yet I believe Snort needs preprocessor support, (a simple signature to match on packet content won't work), since the critical portions of the exploit have to be carried in separate packets in order to successfully "smuggle" the invalid request.