JMK's Picture Gallery allows remote attackers to bypass authentication via a direct request to admin_gallery.php3, possibly related to the add action.
https://exchange.xforce.ibmcloud.com/vulnerabilities/26210
http://www.securityfocus.com/bid/17755
http://www.securityfocus.com/archive/1/432575/100/0/threaded