BE 1.6 file upload security vulnerabilities?

May 18 at 1:56 PM
We have a client with a BE 1.6 site that appears to have some kind of security vulnerability that is allowing ASPX files to be uploaded/written to the site root. Even if someone had admin access, I don't see how the image or file upload feature of the post page would allow this to happen (since the uploads are served via the file handlers). The file upload feature of the contact form is disabled, too.

Has anyone heard of this happening? Is there a security update that perhaps we're missing? Any help would be appreciated. Thanks!