[_def]

Many many years ago I saw someone using an image hoster which only checked mime type, and not filename. That's the important bit after all right? Uploading an image as image.php worked, and if the exif comment contained php code, it ran.

[qingcharles]

More than that, you need to check the file is a valid image, not just the mime type. I remember a host that let me upload an aspx file as a jpg and it allowed me to execute it and browse their entire file system until I found the SQL Server and network administrator passwords in a text file.

The passwords were both "internet".