Unauthenticated File Upload fixed in RSFiles! version 1.17.12 - update NOW!

in Development, RSFiles! on 10 Jul 2026 having 0 comments

A critical flaw in the RSFiles! upload function allows unauthenticated file uploads without enforcing any file extension.

What this means is that any attacker, without having an account on your website, can upload a .php file in your /downloads directory and execute it.

The bottom line is: update immediately to RSFiles! 1.17.12 which fixes this along some other not-reported, but less critical security issues.

Is this exploited in the wild?

Fortunately, at the time of writing, the vulnerability is not public information. It has been privately disclosed by the team at mySites.guru which we thank and recommend - they deliver fantastic services. However, as this is now disclosed, this will be exploited in the wild probably in a few hours after the new version has been released.

How to mitigate this

If you are using RSFirewall!, by default file uploads with a .php extension are silently deleted so you're protected.

Update as soon as possible

Do not rely on firewalls to keep up with this - your immediate action should be to update RSFiles! to the latest release. If updating is not possible, delete /components/com_rsfiles/controllers/rsfiles.php. This will render RSFiles! unusable, but the file contains the affected code so you won't be vulnerable.

Things to check regardless if you're affected or not

  • Any stray .php files in the downloads/ folder and in any other sub-folders;
  • Any stray .php files in the briefcase/ folder and in any other sub-folders;
  • Check if your download folders are secure - go to RSFiles - Settings - Files and tick both the 'Secure download folder' and 'Secure briefcase folder' checkboxes. This will create a file named .htaccess that disallows direct access to these folders, so files will only be served through RSFiles!.
  • Check your server's raw access logs for POST requests pointing to
    index.php?option=com_rsfiles&task=rsfiles.upload that are not preceded by a request to index.php?option=com_rsfiles&task=rsfiles.checkupload


Subscribe to our blog

Found this article interesting? Subscribe to our blog for more.

1000 Characters left