More information here:
http://www.zenphoto.org/trac/ticket/1183

E-mail/PM me for the exploit source and the patch for it. The exploit only works if you aren't logged in already (which a hacker probably isn't anyway) but keep that in mind if you are going to test it. I only tested it on a server with magic_quotes_gpc = off.

The ticket is actually enough. Please see my comment there.

A fix for this issue has been released and will be in the nightly build of 9 July.