The CFFILE and CFDIRECTORY tags present something of a security concern, Because these tags can manipulate files and directories outside of the Web directory tree andcan delete files without confirmation, they need to be used with extreme care. The CFFILE tag particularly requires careful scrutiny because it can also be used to upload files onto the server, which could then later be used with malicious intent. On most sites. the number of people who can create Web content and ColdFusion templates on the server is tightly controlled. In these circumstances, these tags can be used with relative security.
However, some sites allow a wide range of users to create Web content and upload it, usually to personal directories, on the server. In these circumstances, it would be useful to disable dangerous tags such as CFFILE and CFDIRECTORY. These tags, and other tags of concern, can be disabled on the Basic Security page of the ColdFusion Administrator. The ColdFusion Administrator is discussed in detail in Chapter 35, “ColdFusion Administration.” Refer to that chapter for details of disabling and enabling these tags.
Where Do We Go from Here?
The next chapter looks at using ColdFusion Studio to develop ColdFusion-based applications. ColdFusion Studio is a complete development environment for ColdFusion that provides wizards for building complete ColdFusion tags, a query builder for database interaction, syntax validation, and automatic formatting. ColdFusion Studio also offers the necessary tools to work with ColdFusion Server’s remote development services for direct editing of files on a server .