Zenphoto 184.108.40.206 11 November 2011
This is a security update to the issues reported and the only change to Zenphoto 220.127.116.11 is the removal of the 3rd party Ajax File Manager tool as already discussed. Info about that here:
We urge anyone to upgrade. Download as always on our download page. If you access the file manager sub tab on the backend tab you will get a 404 not found. That is meant to happen.
This is a hotfix. The nightly builds have the file manage removed as well but are 1.4.2 beta already as the 1.4.1.x stream was actually considered closed (as announced already). Therefore there is no and wil be no tag for 18.104.22.168 in any svn stream.
Again, we are very sorry this all was possible. Thanks all for your support and understanding on the forum.
Addition: We have informed the developer of the Ajax File Manager about the issues yesterday and he is terrible sorry as well. He just let us know that he relesed a new version because of this. We will take a look and maybe we re-add the file manager back again.  The new version of the Ajax File Manager still has a vulnerability to cross site reference forgeries. The developer is working on a release to close this security hole. We hope to have all this resolved by the 1.4.2 release.