The Avatars add-on
has been updated today to have a straight function of determining '<?' and '?>' tags inside of the uploaded content. If such code is found, the file is considered as 'malicious' and won't be allowed to upload. Since Avatars usually are small size files, there is quite direct function for determining it, reading the whole size content upon upload.
This should help to prevent so called 'PHP Shell' codes embedded into a picture from being uploaded.
Don't forget there may be other security issues for this add-on:
- disallow GIF from the file types list - it's an outdated format, leading to many security bugs. All pictures could be designed in PNG with all the same functions available for GIF, so there is a replacement for this format, which should be accepted by your users;
- setting $avatarMaxFileSize
less than 10 Kb may bring up some extra security, as PHP Shells usually take more space;
- setting $staticAvatarSize=TRUE;
(all avatars of the same size) may help in preventing malicious uploads, because usually PHP doesn't determine the file of broken or corrupted images, which PHP Shells usually are.