Stefano Di Paola has reported some vulnerabilities in Internet Explorer, which can be exploited by malicious people to conduct HTTP request smuggling/splitting attacks.

The problem is that it is possible to modify certain headers via "setRequestHeader()", which can be exploited to e.g. inject arbitrary HTTP requests by setting the "Transfer-Encoding" header to "chunked" or to overwrite certain headers (e.g. "Content-Length", "Host", and "Referer").

The vulnerabilities are reported in version 7.0.5730.11. Other versions may also be affected.

http://secunia.com/advisories/29453/