The user mailed back and just said "he used Paint". I am quite certain that he just renamed the BMP to PNG, as I tried it just now, and it works! Uploaded a BMP by changing the extension to .PNG - so I guess we need to check the file *content* serverside and convert the BMP to PNG.
This brings up the necessity to check on each uploaded file if it is really an image -> "You could use getimagesize() which returns zeros for size on non-images." ... we definitely should add this to qa-wysiwyg-upload.php
Maybe this is even a security leak?
I just tried: Renamed a PDF to PNG, ckeditor uploaded it!