If I allow attachments how can I prevent an attacker from uploading malicious scripts/shell on my server ?
When uploading an attachment it's file extension is changed to .attach to prevent execution of the file. Moreover the file name is generated randomly which makes it almost impossible to access a file directly. Therefore allowing attachments is save.
oh ok and do the user uploaded avatar files ext also changes ?
Since avatars are images they are not executable.
is it possible to embed malicious code with image files ? as with wordpress I use a IPS and I constantly see image type files uploading attempts (my blog do not require or allow any uploads)