Regarding show_image_in_imgtag.php :
Like TimU, I can confirm that requiring _JEXEC be defined does not allow thumbnails to show (J1.5.11 & VM1.1.3). And, it makes sense why. The show_image_in_imgtag.php is somewhat of a standalone file that simply returns a resized image. It doesn't have to be called from another Joomla file in order to work. If you look at one of the image tags it creates in VM you can go to it directly and it'll show the image in a browser. As soon as you require _JEXEC it's going to die since the Joomla framework is not needed or loaded for the script to run. Unless you define it manually, which defeats the purpose, it'll return 'Restricted Access'.
Regarding the above code, it also seems redundant to have the script define _JEXEC if there's no mosConfig_absolute_path. If there's a _REQUEST set for mosConfig_absolute_path then simply kill the script-- that's it-- so why all the extra code? You also don't have to include the joomla config file if you're setting mosConfig_absolute_path to the same thing.
Clearing all that out, this works for me:
if( isset($_REQUEST['mosConfig_absolute_path'])) die(); //just kill it if this is found for any reason
define( '_JEXEC', 1 ); //since there's no Joomla framework being loaded, we need this so we can run the joomla configuration file
$mosConfig_absolute_path = dirname( '../../configuration.php' );
Still, since I have disallowed mosConfig_* as a query request through the .htaccess file, I'm still not sure this is necessary at all. Frankly it all seems double and triple redundant, but do correct me if I'm wrong.