Por si a alguno le interesa, en este artículo se explica justamente este tema:
http://addict3d.org/index.php?page=v...curity&ID=1075
Copio la conclusión:
Conclusion
In conclusion I really have nothing to say except for I think this is a huge security issue that many php coders overlook when making a file upload. File uploads are used in everything from forum avatars to free web hosts and I am sure many many of these scripts contain this flaw. To protect your scripts from this type of attack there is no way around it but to check the file extension instead of using the mime type. Enjoy.