MyBB Extended Useradmininfo Plugin 1.2.1 - Cross-Site Scripting

Author: Fikri Fadzil
type: webapps
platform: php
port: 80.0
date_added: 2014-02-09 
date_updated: 2014-02-16 
verified: 1 
codes: OSVDB-103244 
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt32000/screen-shot-2014-02-16-at-94813-am.png 
application_url: http://www.exploit-db.com4199-1390944146-Extended_Useradmininfosv1.2.1.zip

# Exploit Title: Extended Useradmininfo MyBB Plugin 1.2.1 - Cross Site
Scripting
# Google Dork: N/A
# Date: 09.02.2014
# Exploit Author: Fikri Fadzil - fikri.fadzil@impact-alliance.org
# Vendor Homepage: http://forum.mybboard.de/user-9022.html
# Software Link: http://mods.mybb.com/view/extended-useradmininfo
# Version: 1.2.1
# Tested on: PHP

Description:
This plugin shows advanced Informations about a user, such as last IP, User
Agent, Browser and Operating System. The information will be shown in a
user profile and visible only  for people who are able to see the
adminoptions on user profiles.

Proof of Concept
1. Create a user account.
2. Change your user-agent to "Mozilla<script>alert(1)</script>".
3. Login and then... logout.

* The script will be executed whenever the administrator view your profile.


Solution:
Replace the content of "inc/plugins/extendeduseradmininfos.php" with this
fix:
http://pastebin.com/ncQCvwdq