Rate limit bypass through User-Agent spoofing – (miniOrange <= 5.5.82)

| in

Affected pluginminiOrange
Active installs20,000+
Vulnerable version<= 5.5.82
Audited version5.5.82
Fully patched version
Recommended remediationRemoval of the plugin


An attacker can bypass the plugin’s WAF rate limiting by spoofing his User-Agent header to one of the names of popular search-engine crawlers.

Proof of concept

There are several places where the plugin reads the User-Agent from the HTTP_USER_AGENT header, assuming that the header always contains trustworthy information.

Of course, this is not the case.

One example is the plugin’s WAF, which contains the following code:

if(isset($RateLimiting) and $RateLimiting == 1)

The “is_crawler” function is defined as follows:

function is_crawler()
    $Botsign = array('bot','apache','crawler','elinks','http', 'java', 'spider','link','fetcher','scanner','grabber','collector','capture','seo','.com');
    foreach ($Botsign as $key => $value) 
        if(isset($USER_AGENT) || preg_match('/'.$value.'/', $USER_AGENT)) 
            return true;
    return false;

An attacker can bypass all rate-limiting in the WAF by setting the value of his User-Agent header to “google-bot”.

Proposed patch

If the User-Agent should be used in security-related contexts, a reverse-DNS lookup must be performed using the two PHP functions:


Vendor contactedSeptember 12, 2022
First ResponseSeptember 16, 2022
Fully patched at
Publicly disclosedApril 24, 2023


Leave a Reply

Your email address will not be published. Required fields are marked *