In wrapper.php, you're using $HTTP_SERVER_VARS['SCRIPT_FILENAME'] in $filesystem_root_path but realpath($HTTP_SERVER_VARS['SCRIPT_FILENAME']) in $filesystem_pAG_path_abs.
As realpath() resolves symlinks the other handling code doesn't construct a proper $filesystem_pAG_path_abs causing a file not found error if you have symlinks in the path to SCRIPT_FILENAME (i.e. /htdocs -> /var/www)
Resolve...
I'm afraid to say it but this application is easily hackable.
Some examples:
*get .htaccess file:
http://phpautogallery.sourceforge.net/demo/__phpAutoGallery__picLoader/.htaccess
*get config file with username and password
http://phpautogallery.sourceforge.net/demo/__phpAutoGallery__picLoader/__phpAutoGallery/config/config.inc.php
Google shows hundreds of sites are currently...