nicosomb discovered quite a bad security bug today, and I'm releasing a fix tonight (1.0.7) that will take care of it completely. Until then, if you have a 1.0.4, 1.0.5, or 1.0.6 installation, you should patch it yourself if you can.
The fix: (EVERYONE SHOULD DO THIS if you're running 1.0.4-1.0.6)
Edit: Upgrade to 1.0.7!
That should do it! The security problem is that it allowed directory listings using the '..' (up directory) directory which was not filtered out. NO FILES COULD BE ACCESSED by this method, only directory listings, and only for directories accessible by the web server. This flaw is not susceptible to exploitation of a web server or your zenphoto installation; it only shows relative folder names in the structure of your site.
Very sorry, this was entirely my fault... fortunately it seems no real harm may be done.
Note also this only affects versions greater than 1.0.4, where the sub-albums backend code is present. It is fixed after and including 1.0.7. Please upgrade today!