I'm working on an online file manager as part of a website running on a LAMP stack. What are some file extensions I should disallow for uploaded files? ".php" is an obvious one.
I think you'd be better off configuring Apache so it won't even try to run scripts from the upload directory. Then it doesn't matter if someone uploads a .php file -- if someone else browses to that file, the server will serve it up just like any .gif or .jpg, rather than trying to run it on the server -- i.e., the user will just get a .php file downloaded to their computer.
(Note that I'm nothing of an Apache expert, so I don't know exactly what configuration changes you have to make to disable script execution -- but it should be easy to look at your config file, see what's already turned on for your main directory, and reverse it for your uploads directory.)
You might also need to watch out for the GIFAR exploit.