| Affected plugin | miniOrange |
| Active installs | 20,000+ |
| Vulnerable version | <= 5.5.82 |
| Audited version | 5.5.82 |
| Fully patched version | – |
| Recommended remediation | Removal of the plugin |
Description
An attacker can bypass the plugin’s WAF rate limiting by spoofing his User-Agent header to one of the names of popular search-engine crawlers.
Proof of concept
There are several places where the plugin reads the User-Agent from the HTTP_USER_AGENT header, assuming that the header always contains trustworthy information.
Of course, this is not the case.
One example is the plugin’s WAF, which contains the following code:
if(isset($RateLimiting) and $RateLimiting == 1)
{
if(!is_crawler())
{
mo_wpns_apply_RateLimiting($RequestsPMin,$actionRateL,$ipaddress,$errorPage);
}
}The “is_crawler” function is defined as follows:
function is_crawler()
{
$USER_AGENT = isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:'';
$Botsign = array('bot','apache','crawler','elinks','http', 'java', 'spider','link','fetcher','scanner','grabber','collector','capture','seo','.com');
foreach ($Botsign as $key => $value)
{
if(isset($USER_AGENT) || preg_match('/'.$value.'/', $USER_AGENT))
{
return true;
}
}
return false;
}An attacker can bypass all rate-limiting in the WAF by setting the value of his User-Agent header to “google-bot”.
Proposed patch
If the User-Agent should be used in security-related contexts, a reverse-DNS lookup must be performed using the two PHP functions:
Timeline
| Vendor contacted | September 12, 2022 |
| First Response | September 16, 2022 |
| Fully patched at | – |
| Publicly disclosed | April 24, 2023 |
Leave a Reply