New reports show that PHP applications, including WordPress, may be vulnerable to a recently unveiled Linux bug,...
called GHOST. Though some believe the vulnerability may not be as easy to exploit as first thought.
Securi Inc. researcher Marc-Alexandre Montpas posted an advisory revealing that PHP applications often use the _gethostbyname() function wrapper from which the GHOST bug derives its name. One of the most popular PHP applications to use this function wrapper is WordPress.
Montpas detailed a proof-of-concept exploit for WordPress using the GHOST vulnerability. According to Montpas, an attacker could use a function named "wp_http_validate_url()" that uses the gethostbyname function to validate every pingback's post URL. The attacker would need to send a malicious URL to trigger a buffer-overflow condition, and potentially allow access to the affected machine.
There are ways to mitigate the issue. First, when Qualys first unveiled the vulnerability, it noted that a patch was released in 2013, but was not made widely available because the severity of GHOST was not known. Montpas also noted the attack he describes can be mitigated in WordPress by automatically flagging any domain containing more than 255 bytes that attempts to pingback a site as a potential threat. He also included test PHP code admins that can be run on a server terminal to determine if a server is vulnerable to GHOST.
Before this WordPress vulnerability was found, researchers noted that despite how many Linux systems might be vulnerable to the bug, GHOST may not be as serious a threat as originally thought. Not only is the bug easily patched, but researchers at Trend Micro also reported that attackers can only use a small amount of exploit code, which reduces the number of applications that can be targeted.
Researchers have also found that number of vulnerable applications to be reduced further because the _gethostname functions were deprecated a long time ago.
"That [gethostbyname()] function has been obsolete for a decade," said Errata Security researcher Robert Graham in a blog post. "Only in insanely portable code, such as when you worry about 16-bit pointers, should have to worry about backing off to gethostbyname(). Conversely, gethostbyname() is no longer part of POSIX, and thus officially no longer 'standard'."
Learn about CMS security recommendations for WordPress.