He disables JavaScript in his browser, and uploads hack.php as his profile image. Since JavaScript is disabled, the file type is not checked.
