CVE-2009-1498

Name of the Vulnerable Software and Affected Versions: Game Maker 2k Internet Discussion Boards (iDB) version 0.2.5 Pre-Alpha SVN 243

Description: The issue allows remote attackers to include and execute arbitrary local files. This is achieved by exploiting a directory traversal vulnerability in the inc/profilemain.php file. The vulnerability can be triggered by sending a settings action to profile.php with a .. (dot dot) in the skin parameter.

Recommendations: For Game Maker 2k Internet Discussion Boards (iDB) version 0.2.5 Pre-Alpha SVN 243, consider restricting access to the skin parameter in the profile.php settings action to minimize the risk of exploitation. As a temporary workaround, restrict the ability to include and execute arbitrary local files via the inc/profilemain.php file until a patch is available.