Hey, I noticed that Slashdot has a nasty bug, which, I imagine is a fault of Slashcode. On certain occassions, you can find a very interesting Referer string for some visitiors of pages mentioned on this site. One of such entries: 63.XXX.XXX.175 - - [11/Sep/2002:18:13:33 +0200] "GET /newtcp/ HTTP/1.1" 200 33541 "http://slashdot.org/?unickname=dXXg&passwd=rXXXX3"; "Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826" [lcamtuf.coredump.cx] Go figure. This does not seem to be a consistent pattern, of thousands hits from Slashdot only about 15-20 were like that today, so it seems like a specific condition have to be met, yet it's not that uncommon - I'd guess it happens right after you login and click on the link. I did not investigate it too much, but it seems to me that Slashcode is fairly popular and used in quite a few places - and that's a nice example of why GET shouldn't be used for forms. This is based exclusively on the real world observation of this pattern. I gave Slashdot a short notice because it does not really matter how fast you patch it - once public, people can grep their webserver logs for past entries anyway. -- Michal Zalewski
