The main danger related to the way Moodle implements file uploads is potential distribution of virus infected files. There are two major groups of viruses—classic binary virus which distributes itself in form of executable program, and macro virus which spreads itself through document files and templates.
A computer program capable of copying itself by infecting other executables during its execution is called a virus. They are always targeted to a particular type of Operating System, so viruses written for Microsoft Windows will not run on Apple OS X and vice versa.
Document files are usually infected with so-called macro viruses. Macro viruses are computer viruses written in document application programming macro language. Unlike standard viruses which infect executable files (other programs), these ones infect documents and document templates. Document types that are most affected are those produced by Microsoft Office suite. The most affected apps are Word, Excel, and PowerPoint.
The main question here is what we as an administrator can do in terms of platform configuration to prevent the spreading of these kinds of files. Here is some advice that can help you in making your website more secure.
If your users do not need the advanced editing features of WYSIWIG editor in general, then you can disable it globally. That way you are essentially blocking the file upload through the insert image feature for the teachers and administrators and external file linking for common users. To do that visit Administration | Appearance | HTML editor and uncheck the Use HTML editor option.
As we have previously mentioned, by default in any forum users can attach files to their posts. We recommend disabling attachments on the platform level and enabling them only in the specific forums where you might need that feature. To disable forum attachments globally, visit the Administration | Modules | Activities | Forum page and change the option Maximum attachment size to 0 bytes.
Setting it like this means that any new forum created in any course will have attachments disabled by default.