Not long ago when password security on our web site accidentally got turned off our web site was hacked by using a security hole in osCommerce. The hacker uploaded a PHP file to our server by choosing it instead of an image file for one of the categories on our web site using categories maintenance in the admin section. When the "image" was then displayed it loaded the hack onto our server. If osCommerce validated image files like it should then the hacker would never have been able to hack the site.
While osCommerce has the ability to restrict the file types for uploads built in, for some reason it was not used to prevent invalid file types from being uploaded as images in category and product maintenance and in manufacturer maintenance. This simple modification fixes this security flaw by requiring that the image files chosen for categories, products or manufacturers be one of the four types of image files that can universally be displayed by web browsers.
Both instructions and completed PHP files are included in the download.