Unmasking the Silent Threat: How Unrestricted File Uploads Can Hijack Your Data

Wilson Chua
3 min readAug 15, 2023


What follows is a fictious story. Any similarity with actual people, places and events are purely coincidental.

In the realm of Techmedica, a revered health institution known as “Healing Haven” was a beacon of hope for the ailing and infirm. Within its digital walls, patients could submit their medical documents and images through the institution’s web portal for seamless diagnostics and treatment recommendations.

Yet, lurking beneath the façade of medical benevolence, an ominous threat lay in wait, ready to exploit the unsuspecting vulnerability of unrestricted file uploads.

Amidst the hustle and bustle of Healing Haven’s bustling digital corridors, a shadowy figure known as Seraphus was plotting malevolence. Armed with a potent webshell, a sinister code that could grant complete control over servers, Seraphus aimed to infiltrate the heart of Healing Haven’s systems and reap the forbidden fruits of unrestricted access.

Crafting the webshell in the form of an innocuous-looking MRI scan image, Seraphus weaved his dark intentions into its servers. He knew that Healing Haven’s lax file upload policies would allow his devious creation to pass through unnoticed. With the upload complete, the webshell silently took root within the institution’s server, biding its time…waiting for its master to call it into action.

With a whispered incantation, Seraphus activated the webshell, granting him unfettered access to the heart of Healing Haven’s digital realm. Like a malevolent puppeteer, he expanded his control to other servers. From there this malevolent sorcerer got hold of Healing Haven’s medical records, and sensitive patient data. The institution’s defenses crumbled, as Seraphus exfiltrated invaluable patient information and even manipulated medical diagnoses to sow chaos and confusion. Soon a ransom note will be sent. “Pay up or else!”

As panic spread among Healing Haven’s staff and patients, a group of valiant cybersecurity experts emerged from the shadows. Armed with the knowledge of digital spells, they dissected the webshell’s malicious code and unraveled its intricate threads. It became evident that Healing Haven’s permissive file upload mechanism had paved the way for this dire breach.

Swiftly, the cybersecurity wizards cast their counter-spells. They fortified the institution’s defenses with rigorous file validation (see below), size restrictions, and secure storage practices (encrypt sensitive data). They sealed off the vulnerabilities (update the server’s OS, CMS, plugins) that Seraphus had exploited, ensuring that no unauthorized code could infiltrate their systems again.

With their safeguards in place, the cybersecurity experts launched a meticulous search-and-destroy mission, eradicating the webshell’s presence from Healing Haven’s servers (by searching for all recently modified files). Seraphus’s grip on the institution’s digital realm loosened, and the institution’s integrity was restored.

The tale of Techmedica’s Healing Haven serves as a haunting parable, illustrating the perilous consequences of unrestricted file uploads in sensitive environments. Just as the cybersecurity experts rose to defend their digital haven, modern institutions must arm themselves with the power of code and vigilance to safeguard against the lurking darkness of cyber threats.

PostScript: Lessons learned:
Practical Tips to counter the scourge of “Unrestricted File Access”

Server side counter-measure:

<Directory “/directory_where_files_are _uploaded”>
<FilesMatch “\.(<?php strtolower(php|sh|exe|bat|com|aspx|msi|msp|cmd|vbe|js|msh|msh1|mshxml|scf|lnk|inf|reg|php5|pht|phtml|shtml|asa|cer|asax|swf|xap) ?>)$”>
Deny from all

Web code to check for malicious file uploads:

$allowedTypes = [‘image/jpeg’, ‘image/png’, ‘application/pdf’];
$fileType = $_FILES[‘uploadFile’][‘type’];

if (in_array($fileType, $allowedTypes)) {
// Process the uploaded file
} else {
// Reject the file

Web code to rename and Store securely:

$uploadedFile = $_FILES[‘uploadFile’][‘tmp_name’];
$fileExtension = pathinfo($_FILES[‘uploadFile’][‘name’], PATHINFO_EXTENSION);
$newFileName = md5(uniqid()) . ‘.’ . $fileExtension;
$destination = ‘/path/to/uploaded/files/’ . $newFileName;

move_uploaded_file($uploadedFile, $destination);

The are two other counter-measure contributed by Alvin Veroy. The first one is to store uploaded files outside of webroot. And the second one is to redirect the files uploaded to a temporary AWS S3 bucket. It then calls on jotti’s API service. This Jotti will scan the file using multiple antivirus and malware scanners. So “Kahit na malicious script na dedetect” and the file is blocked, if it is.

Contributed by: Alvin Veroy, Technology Director at Inversal

As always, do drop by and share your thoughts. We love to know if it helps (or not) in your line of work.