If you read about Wordpress bugs, you have probably seen the alert about wp-pass. In this post we’ll discuss a possible fix, that may help some people out. The vulnerability is present in version 2.2.1, so this fix will probably hold you over until 2.2.2 is released. You can read more on this vulnerability over at BlogSecurity. Read on to see about fixing it.

Ok, so first a little info on this vulnerability. Basically it allows a remote URL redirect via the file wp-pass.php (in the root of your blog installation). The code that file calls is in functions.php (in \wp-includes\). Specifically line 1040.

Below is the function:

function wp_get_referer() {
foreach ( array($_REQUEST['_wp_http_referer'], $_SERVER['HTTP_REFERER']) as $ref )
if ( !empty($ref) )
return $ref;
return false;
}

So this may not be the most elegant fix, and may break your blog, so always backup your files. In an attempt to keep this as general as possible, but make sure the fix isn’t exploited, we’ll change the function slightly.

Below is the fixed function: (changes in color)

function wp_get_referer() {
$bps_fix_siteurl = get_option(’siteurl’); //get the current site’s root url
$bps_fix_siteurl_length = strlen($bps_fix_siteurl); //get the length of root url
foreach ( array($_REQUEST[’_wp_http_referer’], $_SERVER[’HTTP_REFERER’]) as $ref )
if ( !empty($ref) && substr($ref, 0, $bps_fix_siteurl_length) == $bps_fix_siteurl ) {
return $ref;
}else{
return $bps_fix_siteurl;
}
return false;
}

What does this do? It’s very simple, really. First we’re getting the URL for the blog, and we’re getting the length of the URL string. Then, in the loop we are adding a check that takes the string (referer url passed to the page) and stripping to the length of the site’s url. With that we just make sure it then matches the site’s url. If so, it passes the string, if not, it redirects to the blog’s root. This also defeats duplicating the string to call itself then another remote url, since it’s not looking at any of the string past the length itself. There probably are cases where this needs to be changed, if you come across any of them comment so we can update the code.

As of publishing this, we know of no other pre-existing fix.