Little Wall O' Buttons - Upgrade
Introduction
LittleWallO'Buttons had a security scare in June 2007, where it was possible for you user accounts (on any site) could be exploited.
This was because the images the users could submit to go on your site, weren't checked properly; only the extension of the file was checked and this wasn't sufficient.
Both myself and Jem^ (who discovered the flaw) attempted to exploit the hole ourselves but neither of us possess the knowledge necessary to do so.
I threw a few ideas around my head to try and fix the hole and the only thing I could come up with was for you, the administrator, to choose an image and upload it yourself.
How To Upgrade
First off, save the config details for the database and put them somewhere save, then delete the whole LWOB folder from your server.
Download LittleWallO'Buttons and unzip the folder. Open up config.php and transfer your database details over.
Edit the rest of the variables to fit your information.
Upload the folder and delete install.php and spam-fix.php.
You've removed all of the unsafe files and replaced them with the safe ones.
All old buttons will still work. New buttons should be uploaded. You can use the upload form integrated with the script (you can find the link to "Upload" on the "Approve Buttons" page, or go to admin/upload.php), you can upload the buttons using your FTP software or you directly link to the button on the user's site if the they allow it.
If you use the upload form, it'll delete the file if:
- it's not a .jpg/.jpeg or .gif
- it's not a valid .jpg/.jpeg or .gif
- it's over 350kb
