CVE-2009-2787

Name of the Vulnerable Software and Affected Versions PunBB Reputation plugin versions 2.2.4, 2.2.3, 2.0.4, and earlier

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pun user[language] parameter when register globals is enabled and magic quotes gpc is disabled.

Recommendations For PunBB Reputation plugin versions 2.2.4, 2.2.3, 2.0.4, and earlier, consider disabling the register globals setting and enabling magic quotes gpc to minimize the risk of exploitation. As a temporary workaround, restrict access to the rep profile.php file in the include/reputation directory until a patch is available. Avoid using the pun user[language] parameter in the affected plugin until the issue is resolved.