Steve Young - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

GHOST Linux bug update: WordPress, other PHP applications vulnerable

PHP applications, including WordPress, are vulnerable to the GHOST Linux exploit, but overall the flaw may not be as dangerous as first thought.

New reports show that PHP applications, including WordPress, may be vulnerable to a recently unveiled Linux bug, called GHOST. Though some believe the vulnerability may not be as easy to exploit as first thought.

Securi Inc. researcher Marc-Alexandre Montpas posted an advisory revealing that PHP applications often use the _gethostbyname() function wrapper from which the GHOST bug derives its name. One of the most popular PHP applications to use this function wrapper is WordPress.

Montpas detailed a proof-of-concept exploit for WordPress using the GHOST vulnerability. According to Montpas, an attacker could use a function named "wp_http_validate_url()" that uses the gethostbyname function to validate every pingback's post URL. The attacker would need to send a malicious URL to trigger a buffer-overflow condition, and potentially allow access to the affected machine.

There are ways to mitigate the issue. First, when Qualys first unveiled the vulnerability, it noted that a patch was released in 2013, but was not made widely available because the severity of GHOST was not known. Montpas also noted the attack he describes can be mitigated in WordPress by automatically flagging any domain containing more than 255 bytes that attempts to pingback a site as a potential threat. He also included test PHP code admins that can be run on a server terminal to determine if a server is vulnerable to GHOST.

Before this WordPress vulnerability was found, researchers noted that despite how many Linux systems might be vulnerable to the bug, GHOST may not be as serious a threat as originally thought. Not only is the bug easily patched, but researchers at Trend Micro also reported that attackers can only use a small amount of exploit code, which reduces the number of applications that can be targeted.

Researchers have also found that number of vulnerable applications to be reduced further because the _gethostname functions were deprecated a long time ago.

"That [gethostbyname()] function has been obsolete for a decade," said Errata Security researcher Robert Graham in a blog post. "Only in insanely portable code, such as when you worry about 16-bit pointers, should have to worry about backing off to gethostbyname(). Conversely, gethostbyname() is no longer part of POSIX, and thus officially no longer 'standard'."

Next Steps

Learn about CMS security recommendations for WordPress.

Dig Deeper on Alternative operating system security

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization run WordPress? If so, are you worried about the GHOST exploit?
We do run Wordpress, and we take exploits such as this very seriously. As I mentioned in another discussion, we are leveraging our Change Management Database (CMDB) to assist us in identifying systems that could potentially be exposed to the threat. We first started using it in this scenario by filtering for servers that could be running glibc-2.17 and lower, then expanded our efforts to include Wordpress and other PHP applications.
As long as applications use gethostbyname() there will be hackers who will search for those applications on your server and exploit it for their gain.
Companies that use such open source technologies, may need to find a way to scan for such vulnerabilities, and not only that, to be prepared to update outdated tech when code gets deprecated.  (it sounds to me, that not updating legacy code is a direct cause of this vulnerability being present still)
One of the tools that our organization has been implementing that has proven extremely useful in addressing the GHOST issue is our Change Management Database (CMDB). We’ve been working on populating it via manual and automated discovery efforts for the past year, and it has proven invaluable in identifying systems that could potentially be exposed to the threat. We are able to fine-tune the results as well by filtering on say Wordpress or RHEL.