Well, I have joined the ranks of sites which have recently been hacked (http://www.zenphoto.org/support/topic.php?id=9939).
One of the sites is my primary, and I had updated it yesterday to the 1.4.2 beta which has the fix for the known ajaxfilemanager vulnerability. Since the site was running yesterday I have to assume that the hack did not use that path.
I have made a quick look at the ajaxfilemanager implementation. To the best of my knowledge there is no "security" on what it might do if someone directs a URL properly at one of its component files.
Therefore, I strongly recommend that the ajaxfilemanager folder be deleted from your sites.
We will continue to investigate and see if there is a fix for this. But since it is not our code, the understanding and correction may take a while.