Here is the install instructions with directory and file permissions. http://www.photopost.com/installphp.html
I can tell you version 5.0 of our script was gone over totally by an independent security company and we recieved seal of approval making sure our script was totally secure. There where in prior version some security holes just like any script. Most of these holes come from vulnerabilities in PHP itself
I find it particularly a strong coincidence that post these accounts are on HOSTROCKET that where hacked. Michael can respond more on this since he was the one whom worked hands on in Donna's account on specifics here.