Once a person in able to upload a file to your web server, he will be able to upload a "shell". Many of those shell versions are freely available on the net. eg.: shell ASP
The ASP script aspshell.asp is a simple web application that provides a shell like environment for administering Microsoft IIS web servers. Commands submitted from a web browser are executed on the web server. The output is transferred back and dumped in the browser window.
This means that the person who can access this shell, is able to manage your complete webserver.
He can also insert an iframe into your webpage and have a spoofed webpage shown to your customers. Maybe this page asks for personal details, login details, creditcard details, ... and next to keeping the information to itself, it will send the output also to your web server back so nobody gets suspicious.
The scenarios you could build with this idea don't have a limit.
Sysadmins should monitor their servers and act asap. Otherwise they are playing with the confidentiality of their customers.
NOTE: All this for educational purpose. I am not responsibility for any kind of problems which you cause in careless usage.