# Exploit Title: Extended Useradmininfo MyBB Plugin 1.2.1 - Cross Site Scripting # Google Dork: N/A # Date: 09.02.2014 # Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org # Vendor Homepage: http://forum.mybboard.de/user-9022.html # Software Link: http://mods.mybb.com/view/extended-useradmininfo # Version: 1.2.1 # Tested on: PHP Description: This plugin shows advanced Informations about a user, such as last IP, User Agent, Browser and Operating System. The information will be shown in a user profile and visible only for people who are able to see the adminoptions on user profiles. Proof of Concept 1. Create a user account. 2. Change your user-agent to "Mozilla". 3. Login and then... logout. * The script will be executed whenever the administrator view your profile. Solution: Replace the content of "inc/plugins/extendeduseradmininfos.php" with this fix: http://pastebin.com/ncQCvwdq