This is why you need to validate File Upload controls

This is how quick it can happen. The site has a simple File Upload control, but it has no validation which allows us to upload a php shell and get access to the whole system. Using this shell we can steal password hashes or upload files to the webserver.