Manual:$wgFileBlacklist

Details
Files with these extensions will never be allowed as uploads. array(   # HTML may contain cookie-stealing JavaScript and web bugs    'html', 'htm', 'js', 'jsb',    # PHP scripts may execute arbitrary code on the server    'php', 'phtml', 'php3', 'php4', 'php5', 'phps',    # Other types that may be interpreted by some servers    'shtml', 'jhtml', 'pl', 'py', 'cgi',    # May contain harmful executables for Windows victims    'exe', 'scr', 'dll', 'msi', 'vbs', 'bat', 'com', 'pif', 'cmd', 'vxd', 'cpl' );

History

 * 'cgi' was added in 1.3.8
 * 'js' and 'jsb' were added in 1.5.0
 * 'php5' was added in 1.8.0