
418 Chapter 10 • Securing ColdFusion
www.syngress.com
Exposing Included Code
An additional problem shows itself with the usage of this tag.
Many people like to segment their code into reusable files that can
be included with the CFINCLUDE tag. For organization, they usu-
ally place these files in subdirectories to their application. Common
subdirectory names include includes, queries, display, and so on.
Depending on how they set up their Web server, this may cause
a security problem. If a Web server has directory browsing turned
on (which should never happen), looking at an includes directory
(for example) will result in a list of all the files to be included. ...