Brief
We have fixed the 'user_select.php' and 'user_upload.php' scripts for release 3.5.
Description.
There was a critical bug with possibility to include remote files if PHP setting register_globals is On.
Only version 3.5 was vulnerable. All earlier versions including 3.4.7 are not impacted.
Solution.
We would recommend to download an updated version of the file from here:
http://www.viart.com/downloads/user_select-3.5.zip
http://www.viart.com/downloads/user_upload-3.5.zip
Further, extract the above mentioned files into the root folder of your shop replacing an existing ones. Don't forget to make a backup copy of the current files in case something goes wrong.