in reply to
Security issues when allowing file upload via CGI
I don't see why they need to be chmod to 555, I think 644 is probably more appropriate for data files. This allows the process to write them and everyone else to read them. 555 allows everyone to execute them, which means all I have to do is upload a script to your server and the fun begins.
Beyond that, no... you can't really prevent someone from uploading an .exe file to your system, but without it saying .exe at the end I suspect MS Windows isn't going to do anything meaningful with it-- and without the correct content-type header many other browsers aren't going to treat it correctly either. And if you upload an .exe as a .jpg, it's likely to get served back as a JPEG which won't display since the exe data is not in the correct JPEG format. If a hole existed whereby my browser was fed an unexpected file and then ran that file willy-nilly, it would have been exploited more than Outlook by now.