This is just a post to educate. I recently experienced a spam issue on my server. The site was running 3.8 with vbgallery 2.51. We couldn't isolate the issue and it prompted us to upgrade the site, prematurely, to counter the spam. The upgrade killed the spam but we never knew where it was coming from as we hosted so many scripts and files it was difficult to isolate without being able to isolate it to one script. Today I upgraded that gallery on my dev site to transfer the files over to a CDN, instead of hosting them locally. I had a few minor style issues after the upgrade so I did some google digging and came across this thread:
Photopost was made aware of the exploit in Feb. of 2012 and they chose to simply ignore it. I never received a notice that their was an exploit. These people knowingly allowed their clients running that version to be exploited by not sending out a notice or a simple patch. The spam was being sent via the ecard or send to friend feature. "Chuck" tried blaming vbulletin as usual until it was made clear where it was coming from. Intentionally allowing your client base to fall victim to an exploit that could have been announced is not only poor development but shows horrible character on the development teams part.
If you are running vbgallery 2.5.1 and have the ecard or send to friend feature active, it has an exploit. Spammers can hook in somehow and mail spam directly through your server. You would be a fool to use their products knowing this is how he handled this exploit.
I hope this can stay up to help notify people since the "developers" over at photopost chose not to.
Thanks to Brandon Sheley you can download the attached zip which contains a pdf displaying the entire conversation that Chuck deleted! You can see first hand how much he cares about his clients. lmao