Interesting, I'm not getting this flaw at all. Which version of 2.3 is this addressing? Rails 2.3.1 only? I just tried this on a 2.3.2 app and got HTTP Basic: Access denied.
Rails 2.3.x. The app you tested this on, what's the password procedure like? One part of problem is doing a password procedure like "Users[name]" where Users is a hash of usernames/passwords. Also I believe this just effects folks doing digest auth (authenticate_or_request_with_http_digest) not basic auth (authenticate_or_request_with_http_basic)
