Out of curiosity, is the source code for DFFD available anywhere?
It seems to be based on PHCDownload ( https://github.com/AlexanderGW/phcdownload ), which seems to be under the GPL. While the question on if the GPL applies to server software is dubious, it would be a good gesture to make the software OSS (especially if it's still running on the same old PHP version as the original source code release) and would allow other users to help find potential security bugs.
It's not available anywhere at the moment. It's actually been pretty heavily modified from the original PHCDownload codebase at this point, which does seem to have been abandoned by the author quite some time ago. Besides a decent bit of new and changed functionality, I did end up patching some security holes that the original had after a full security sweep through the entire codebase at one point many years ago. I've done a couple more brief passes since then with fresh eyes and found nothing else. I take security very seriously and keep it in mind with any updates I make, and I try to thoroughly test things out on a test server before making them live.
I've also updated the codebase to work with modern PHP versions.
While I'm not a proponent of security through obscurity, I also don't feel particularly compelled to release the code for it. It has been modified to work solely with a custom compiled version of Nginx (though currently at least able to use the OpenResty offshoot) to allow for large uploads without tying up a PHP worker for the duration and to allow tracking and reporting live upload progress to the person submitting the file. That and other things in the code would take some work to make optional and allow for more standard/basic server setup by other people. I also have several things hardcoded that I wouldn't normally need to change for my setup (but could easily change myself if needed), but for general use by others would call for adding further configuration options.
I just don't feel like or really have the time to work on that.