The following two files are 100% identical on the server - one of them is just called .php, and the PHP code in the comment field of the picture is therefore executed.
... furthermore, MSIE still shows the .php file as a picture, even though the content-type is text/html. Check the .php file in another browser.
Lesson: Don't just check whether an uploaded file validates as a picture. Make sure you specify the extension (e.g. .gif) yourself.
- Peter Brodersen