You need to check the cffile.ServerFileExt variable which contains the file extension to make sure it matches your set of allowed extensions. Make sure you upload into a folder outside of the webroot first (such as getTempDirectory()) to avoid some potential security issues.
You can also use IsImageFile() in addition to the file extension test, but you should not rely on isImageFile (always check the file extensions).
If you have CF10 you can use <cffile accept="*.jpg,*.png" strict="false" ...> as well.
In short - don't rely on the mime type for anything it can be spoofed by a hacker to upload malicious files, always check the file extension (worth repeating).
-- Pete Freitag
Foundeo Inc - Makers of HackMyCF& FuseGuard
