Consider this ASP file:
Set fs=Server.CreateObject("Scripting.FileSystemObject ")
Now, guess what happens when I request:
Gone is your precious file SomeImportantFile.txt
This is just a simple example but I have seen entire script libraries that do crazy stuff, like:
1. Use FTP.exe to FTP files away
2. Move import system files under the webroot so they can be downloaded
3. Delete important files so you get error info that may lead to other information.
You can do anything that ASP allows you to do under the current credentials.
Point is: don't trust user input. It's nice to use client validation as a courtesy to users so they get immediate feedback ("sorry this file extension is not allowed", even before they upload it), but ALWAYS check stuff at the server as well. CONSIDER ALL USER INPUT AS EVIL (and you know I usually don't shout in this forum).
Everyone is unique, except for me.
Author of ASP.NET 2.0 Instant Results
and Beginning Dreamweaver MX / MX 2004
Want to be my colleague? Then check out this post