Attention
TYPO3 v12 has reached end-of-life as of April 30th 2026 and is no longer being maintained. Use the version switcher on the top left of this page to select documentation for a supported version of TYPO3.
Need more time before upgrading? You can purchase Extended Long Term Support (ELTS) for TYPO3 v12 here: TYPO3 ELTS.
Avoid insecure file uploads
Uploading untrusted scripts (e.g. PHP, Perl, Python) or executables into the web root is a major security risk. TYPO3 prevents this via backend restrictions (see Global TYPO3 configuration options).
These safeguards are bypassed if services like FTP,
SFTP, SSH, or
WebDAV allow direct file
uploads—commonly into fileadmin/.
Such access can lead to:
- Upload of malicious scripts
- TYPO3 Core files being overwritten
- Abuse via leaked credentials
Recommended actions:
- Disable FTP/SFTP/SSH access to the document root for users.
- Use the TYPO3 backend for file uploads.
- Enforce secure upload policies in the TYPO3 file storage configuration.
Warning
The TYPO3 Security Team considers FTP to be insecure due to the lack of encryption. Do not use FTP under any circumstances.