Another bug in the Wordpress platform was discovered yesterday. This time the vulnerabilities exist in the XMLRPC and Pingback
implementation that are included with Wordpress.

The advisory says that WordPress does not sanitize the sourceURI before passing it to wp_remote_fopen(); and this makes it possible to specify non-HTTP resources to be read such as local files or ftp sources. In particular, a malicious user can determine whether certain files exist on the local file system.

The official recommendations are to upgrade to WordPress 2.1, but please note that 2.1 is still not very stable and cannot handle some plugins included in 2.0.x versions.

My personal recommendation is to apply the patch below, which will fix the local files issues

diff -Nur wordpress.orig/wp-includes/functions.php wordpress/wp-includes/functions.php
--- wordpress.orig/wp-includes/functions.php 2007-01-13 21:24:05.749659500 -0800
+++ wordpress/wp-includes/functions.php 2007-01-13 21:43:41.855161500 -0800
@@ -2186,10 +2186,22 @@
}

function wp_remote_fopen( $uri ) {
+ $timeout = 10;
+ $parsed_url = @parse_url($uri);
+ if ( !$parsed_url || !is_array($parsed_url) )
+ {
+ return false;
+ }
+ if ( !isset($parsed_url['scheme']) ||
+ !in_array($parsed['scheme'], array('http','https')) )
+ {
+ $uri = 'http://' . $uri;
+ }
if ( ini_get('allow_url_fopen') ) {
$fp = @fopen( $uri, 'r' );
if ( !$fp )
return false;
+ stream_set_timeout($fp, $timeout);
$linea = '';
while( $remote_read = fread($fp, 4096) )
$linea .= $remote_read;
@@ -2200,8 +2212,11 @@
curl_setopt ($handle, CURLOPT_URL, $uri);
curl_setopt ($handle, CURLOPT_CONNECTTIMEOUT, 1);
curl_setopt ($handle, CURLOPT_RETURNTRANSFER, 1);
+ curl_setopt ($handle, CURLOPT_TIMEOUT, $timeout);
$buffer = curl_exec($handle);
curl_close($handle);
+ if ( !preg_match('/.*text\/.*/', curl_getinfo($handle, CURLINFO_CONTENT_TYPE)) )
+ return '';
return $buffer;
} else {
return false;