I've taken down the LittleWallO'Buttons script; there might be a security hole.
It'd be a really good idea to take down the script at the moment, as a precaution.
Jem^ sent me an email about it last night, I saw the email this morning and tried to add the fix but my host's setup means I can't implement the fix Jem suggested.
Read more about the possible security hole on Jem's latest entry^ and Donnie's comment.
Updated: August 17 2008
It looks like I didn't mention it again after this entry but Jem^ and I spent a few days trying to hack the script about and create our own CSRF attack (the type of attack Jem told me about). We were unsuccessful; it appears that you need quite a bit of technical knowledge in order to create the attack. I don't possess that knowledge.
The problem my script has is the same problem a lot of button, ad rotation, topsite, etc scripts have; the script checks the extension of the "image" the user gives the script the URL to. It doesn't check to make sure that image is actually an image.
The only way for me to patch that hole is for you, the admin, to download the button, upload it to your site and reference the new URL...
Jem and I are discussing and trying to decipher whether this is a real security threat or not. I would take the script down but wouldn't state as fact that there's a security hole as of yet.
If it is, the only complete fix would involve LittleWallO'Buttons actually downloading the images files to the server. In my opinion though, that would bring other security concerns into play.