|
|
|
|
|
|
by gtCameron
4371 days ago
|
|
|
Couldn't you say the same thing about downloading and running any installer from the internet? There is nothing special about PHP that makes this insecure, the exact same attack you describe could be done when you are downloading a Windows installer executable from a browser and double clicking it. |
|
|
He didn't say it was because of PHP, he said it was because of http (i.e., because it's not over SSL).
> the exact same attack you describe could be done when you are downloading a Windows installer executable from a browser and double clicking it
Exactly, which is why people who are security conscious never simply execute a Windows installer downloaded from the browser (or wget, for that matter). At a minimum, one checks the file hashes. Ideally, one confirms that the executable has been properly signed and not tampered with (by right-clicking the file, clicking 'properties' and looking at the 'signature' tab, or else manually checking if it's been GPG signed).