A TWiki Security Alert reports:
The TWiki upload filter already prevents executable
scripts such as .php, .php1, .phps, .pl from potentially
getting executed by appending a .txt suffix to the
uploaded filename. However, PHP and some other types
allows additional file suffixes, such as .php.en, .php.1,
and .php.2. TWiki does not check for these suffixes,
e.g. it is possible to upload php scripts with such
suffixes without the .txt filename padding.
This issue can also be worked around with a restrictive web
server configuration. See the
TWiki Security Alert for more information about how to do
this.