We are pleased to announce that we have an updated version of Ajax Filemanager which has all known security holes plugged. We are releasing this version with the 1.4.2 Zenphoto release and it is currently available in the Beta of that release.
We understand that some people will be reluctant to use this plugin owing to the recent hacks of Zenphoto sites. For this reason, Ajax Filemanager is now a plugin and is disabled by default. If you wish to use the Filemanager functionality go to the plugins tab and enable the Ajax Filemanager plugin.
Please note that the code we have released HAS BEEN MODIFIED to close these security holes. We are still waiting for updates from the developer. Until such time as these are available and activated by default the developer released versions of Ajax Filemanager should not be considered secure. As released they are subject to direct access (bypassing Zenphoto security), and Cross Site Reference Forgeries. DO (...)