phpThumb has an exploit command vulnerability.
I just took the last phpThumb 1.7.10
and update accordingly to the doc prodided :

catalog/phpThumb/phpThumb.php: set the error reporting to (E_ERROR | E_PARSE) instead of E_ALL.
catalog/phpThumb/phpThumb.config.php: the following parameters have been modified:

$PHPTHUMB_CONFIG['document_root']: from osCommerce constant
$PHPTHUMB_CONFIG['cache_directory']: from configuration parameter
$PHPTHUMB_CONFIG['high_security_password']: from configuration parameter

You should replace your current version of phpThumb with the one provided in the zip file.

More...