fGallery exploit described here is fixed in version 2.4.2 available for download at the plugin page.

Fix includes proper escaping of the url and checking if the “album” is numeric. If “album” is not numeric the script dies and therefore the exploit can not be executed.

Thanks to all of you who made me aware of this exploit and I apologize for any problem it may have caused.