Support

I consider this a security risk, albeit a low one. The cache directory is supposed to hold files which are normally not accessible over the web. These files are supposed to hold dynamically rendered content which take a long time to produce. Storing them in the cache makes it faster to display them. An extension linking directly to files inside this directory is in violation of security best practices: it is asking you to provide access to files in a place which isn't supposed to be web accessible.

I would recommend contacting the developer of this extension and explain him the problem at hand. The proper place for web-accessible content is a subdirectory of the top-level media directory of the site, named after the extension. For example, Akeeba Backup stores its web-accessible content inside the media/com_akeeba subdirectory and the very popular K2 component does the same using media/com_k2 for all dynamic content, such as resized article images. The developer of your gallery extension should do the same thing. XML files (which, if I recall correctly, is what the galery extension in question generates) are allowed to be served over the web from the media directory and its subdirectories.

Please remember that staying with an end-of-life product (Joomla! 1.5) will eventually result in your site getting hacked. Most likely it won't be because of Joomla! itself but because all developers have stopped supporting Joomla! 1.5 or are about to do so. As your extensions grow old and unmaintained, the possibility of a major vulnerability in one of them becomes very likely. Moreover, Joomla! 1.5 will only run with PHP versions up to 5.3. As web hosts are going to upgrade their PHP versions your site faces a very real risk of not running at all.

Much better approach. You still do a small compromise security-wise but it's now a small compromise. Most automated hacking tools will try to put a malicious file inside the root of the cache directory. By only enabling direct access to select subdirectories you are safe from those, which is the entire point of having the .htaccess Maker and its protection features.