On Wed, Sep 14, 2022 at 12:33 PM Tim Düsterhus <t...@bastelstu.be> wrote:
> Hi > > On 9/14/22 20:44, Jordan LeDoux wrote: > > Honestly, another question I'm thinking about at the moment is whether > it's > > possible to construct an attack against known script behavior if you also > > are able to determine the ini config at which partial form data would > make > > it to the script with the script thinking it has full form data. To be > > clear, I haven't been able to think of one, but I also recognize that I'm > > not nearly as clever at those sorts of things as some attackers are. > > Maybe I misunderstood what you are thinking about, but can't you just … > not send all the fields to achieve exactly the same results as an attacker? > > Best regards > Tim Düsterhus > Yes, probably. That's why I was saying, I know I'm not as clever with that space. I think those would be equivalent cases, but I'm not sure if there are any edgecases there either. Maybe that thought wasn't appropriate for the ML, since I'm not suggesting there is a problem, I'm mostly just wondering if someone with more expertise can confirm that it isn't an issue. Jordan
