ColdFusion comes with three tags that make it possible to manipulate files and directories on both local and remote servers and an additional tag that can be used to execute command-line programs on a local ColdFusion server. These tags enable you to build sophisticated applications such as document management systems, forms capable of accepting file uploads, FTP clients, and more.

The cfdirectory and cffile tags allow you to manipulate directories and files on your local ColdFusion server, while the cfftp tag makes it possible to conduct file transfers between your ColdFusion server and remote FTP servers. The cfexecute tag lets you execute command-line programs. cffile, cfdirectory, and cfexecute present a potential security hazard, as these tags have direct access to the filesystem of the ColdFusion server. Therefore care should be taken with their use and deployment. Depending on the configuration of your web server and operating system, it may also be possible to upload executable code via the cffile tag and execute it on your server. The consequences can be potentially devastating to a system as a user could easily upload malicious code to the server and subsequently execute it. Therefore, both tags can be disabled from the ColdFusion administrator, should you decide not to make them available to developers on your server.