2
hm. well, the directory does have to be writable, obviously, and has to be readable and traversable (executable). Having a directory chmodded to 777 isn't a security risk per se, it depends on alot of other things. One is the umask of the user that is running the script - if the umask is set to write the files as 755, someone could execute the script (in a default Apache environment, Apache won't execute scripts chmodded to 777, or obviously, 766 because it isn't executable). So if the umask of the user running the uploader script writes the files as 700 (or even 777, although that wouldn't be cool), you're fine. Scripts should always be security consious, but you should never depend on their security.
I guess in short, it's not insecure if your Apache environment is setup securely, although I'm sure there are other users that are much better than me to explain better).
As for ways around it, run ClamAV on your server, maybe run a simple bash script to chmod all the pics in the directory to a more secure level. Run Bastille. Defintly use the security module for Xoops! That will help a lot.
