Be wary of what folks can upload into the "files" directories on your Drupal site. They may be able to upload a PHP file, then try to access that PHP file in their web browser, thus being able to execute arbitrary code. This is dangerous!
I believe Drupal's .htaccess files block this sort of thing for Apache users, but what about us Lighty users? Fortunately, it's not too tough to stop this from happening; just add something like this to Lighty's config file:
$HTTP["url"] =~ "/files/.*\.php" {
url.access-deny = ("")
}Site visitors will then get a 403 error any time they try to access a PHP script inside of a files directory (any one; this will work with multi-site setups). Test it by creating a phpinfo() page and putting it in a files directory, and trying to access it both before and after adding the code above to your config file (don't forget that you have to restart Lighty after tweaking its config).
If your Lighty installation is also capable of running Python, Ruby, Perl, or other scripts, don't forget to exclude those sorts of scripts as well, with something like this:
$HTTP["url"] =~ "/files/.*\.(php|py|pl|cgi|rb)" {
url.access-deny = ("")
}