If I can upload an HTML page I can do what’s called a Cross Site Scripting (XSS) attack, as some browsers will render gifs as HTML. Neal Poole from Facebook wrote about a Wordpress vuln like this back in 2011
The HTML file could have javascript in it, which I could use to do bad things.
Again, I’m not a security researcher (though that’s what our community is made up of), so I can’t speak at length about XSS or test this thoroughly. I’m just wondering if you guys do anything to check headers of uploads. If you could answer that question for me, that would be awesome.