Avoid insecure file uploads
Uploading untrusted scripts (e.g. PHP, Perl, Python) or executables into the web root is a major security risk. TYPO3 prevents this via backend restrictions (see Global TYPO3 configuration options).
These safeguards are bypassed if services like FTP,
SFTP, SSH, or
WebDAV allow direct file
uploads—commonly into fileadmin/.
Such access can lead to:
- Upload of malicious scripts
- TYPO3 Core files being overwritten
- Abuse via leaked credentials
Recommended actions:
- Disable FTP/SFTP/SSH access to the document root for users.
- Use the TYPO3 backend for file uploads.
- Enforce secure upload policies in the TYPO3 file storage configuration.
Warning
The TYPO3 Security Team considers FTP to be insecure due to the lack of encryption. Do not use FTP under any circumstances.