I just learned that yesterday a new exploit for osCommerce was released.

All version released except 2.2 MC3 that is in CVS. Please upgrade to that version our apply the following patch from osCommerce.

"To fix the issue, the $_sid parameter needs to be wrapped around tep_output_string() in the tep_href_link() function defined in includes/functions/html_output.php.

Before:

if (isset($_sid)) {
$link .= $separator . $_sid;
}

After:

if (isset($_sid)) {
$link .= $separator . tep_output_string($_sid);
}