Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Michal Zalewski (lcamtuf_at_dione.ids.pl)
Date: Wed Sep 11 2002 - 12:25:45 CDT
I noticed that Slashdot has a nasty bug, which, I imagine is a fault of
Slashcode. On certain occassions, you can find a very interesting Referer
string for some visitiors of pages mentioned on this site. One of such
63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1"
200 33541 "http://slashdot.org/?unickname=dXXg&passwd=rXXXX3"
"Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826"
Go figure. This does not seem to be a consistent pattern, of thousands
hits from Slashdot only about 15-20 were like that today, so it seems like
a specific condition have to be met, yet it's not that uncommon - I'd
guess it happens right after you login and click on the link. I did not
investigate it too much, but it seems to me that Slashcode is fairly
popular and used in quite a few places - and that's a nice example of why
GET shouldn't be used for forms. This is based exclusively on the real
world observation of this pattern.
I gave Slashdot a short notice because it does not really matter how fast
you patch it - once public, people can grep their webserver logs for past
-- Michal Zalewski