Yes, that seems to be, that in (still) latest Joomla (2.5.4) we have a so-called-bug.
By sending malformed request to the user, we are able to "logout" him.
Why this could be used for attack? So, badguy, can change (deface) your companys site,
and add there a password-stealer (to php code for example).
Now he can logout all users like a sniper. ;]
(Yes yes, there is a way from admin panel to do the same, but who cares...? ;))
I want finish some test right now, and for a few hours there will be update here.
...and thanks for watching at all-this-break ;)