
Popular posts from leaky bug-tracking systems - weinzierl
https://rachelbythebay.com/w/2020/03/05/bugs/
======
blakesterz
Very cool read! Apache/nginx logs can be really interesting to look through
sometimes.

It is sad that the Referer Header is pretty much dead now. Looking at the
Apache logs used to be a useful way to see what was going on and why a site
was busy suddenly. Those headers were also a great way to gather whatever
analytics was called before it became what it is now. I guess we just called
them 'stats' because we didn't care about ads?

I once was looking at the logs for whatever reason and spotted a link back to
what was clearly a webmail system at a decent sized .edu and decided to click
that link. BOOM. I was looking at someone's inbox. There was no authentication
at all on the email there. I did report that, hopefully they fixed it fast.

~~~
RcouF1uZ4gsC
> There was no authentication at all on the email there. I did report that,
> hopefully they fixed it fast.

I bet there was some token in the URL, and that URL with the token was sent as
the referer, and then when you clicked the link, you also got the
authentication token since it was in the URL.

~~~
exikyut
Ok that was a small beer-bottle-over-the-head moment.

Does this sort of disaster have a specific name? I realize it's a type of XSRF
but I don't know of any contractions for "I was erroneously supplied working
credentials and this needs fixing".

This reminds me of the practice of digging through GitHub for leaked
credentials.

------
jodrellblank
How much of programming/IT is tiptoeing through a minefield of broken shit
hoping you can remember enough edge cases from your experience that you can
avoid snagging on an issue which arrests your progress for large stretches of
time?

And how much of vaunted 10x productivity is being able to have a clear path to
get up to speed and stay at speed, without such snags anywhere nearby?

And how much of company problems are related to many employees being stuck in
tarpits like these (and similar businessy ones)?

------
chkaloon
Very interesting!

Risking going off on a tangent...Regarding the first one with the time issue.
I've always felt uneasy about all the ambiguity in the components of the time
structure. People can easily get confused about the offset, the tz, and the
dst flag. Are they independent? Do you add all their effects together when you
calculate the UTC time? Are they redundant, so you can only use the offset? No
surprise that it's interpreted in many different ways.

