Typo3 debug mode enabled
Description
The TYPO3 CMS installation has debug mode enabled in a production environment. Debug mode is intended for development purposes only and exposes detailed system information including file paths, database queries, configuration settings, and error stack traces. This configuration should never be active in production as it significantly increases the attack surface by revealing internal application details to potential attackers.
Remediation
Disable debug mode immediately in the production environment by modifying the TYPO3 configuration. Update the following settings in your configuration file:
In typo3conf/LocalConfiguration.php or config/system/settings.php (TYPO3 v9+), ensure the following values are set:
[
'BE' => [
'debug' => false,
],
'FE' => [
'debug' => false,
],
'SYS' => [
'displayErrors' => 0,
'devIPmask' => '',
'exceptionalErrors' => 0,
],
]After making these changes, clear all TYPO3 caches through the backend or using the command line. Verify that debug output is no longer visible by testing the application. Implement proper logging mechanisms to capture errors securely without exposing them to end users.