I got this emailed out from my hosting provider, surpasshosting.com:
UPDATE: This email pertains to clients on Shared/Reseller servers who are currently using osCommerce.
We have seen a dramatic increase in attacks against osCommerce installations in recent months. There are several severe unpatched vulnerabilities for osCommerce. There has not been a stable release of osCommerce since January of 2008. The osCommerce project appears to be dead and it is reasonable to assume that the blaring security vulnerabilities in this software will not be patched by its developers. All versions of osCommerce have been confirmed to be vulnerable.
We have created mod_security rules to help mitigate these vulnerabilities for our shared and reseller accounts. This may protect your account for the time being, but these mitigations should not be relied on as a long term solution.
The only long term solution to ensure the safety of your site is to switch to another ecommerce CMS solution. An actively developed CMS ecommerce solution that you may want to consider is Magento:
Magento supports similar functionality to osCommerce and is being actively developed and supported by it’s developers. The Magento Community Edition is free to download and is developed through an open source community.
Other solutions include Zencart which you can still install through your Fantastico interface. Zencart contains much of the same functionality of osCommerce, but it is still in active development.
For those absolutely unable to migrate to a different CMS, we recommend that you at least enable cPanel’s folder protection system for your osCommerce admin/ directory. You can access this feature through your cPanel interface at: cPanel → Security → “Password Protect Directories”. You can simply select your “admin” directory and specify a username and password. This will protect you from the security bypass vulnerabilities present in the osCommerce software.
Beginning December 1, 2010 we are removing support for installing the osCommerce CMS through Fantastico on all of our shared/reseller servers. This will not affect clients who currently have osCommerce installed.
Thank you very much for your consideration and if you have any other questions and/or concerns, please feel free to let us know.