profile.php in PunBB 1.2.1 allows remote malicious users to cause a denial of service (account lockout) by setting the user's password to NULL.
punbb punbb 1.2.1