I have a security group scanning my site and they are reporting that in the GF directory there are executable files and that I should be concerned. When I look, I find .php and .png files created and/or used by the captcha. The png are the different captcha images. The php must be used for something important, but they are the ones the security scan does not like.
OK, the first thing that popped into my head was, "If these are being created every time someone submits a form this is going to be one big directory." Do these ever get purged? How do we keep control of how big the directory gets? Lastly, are there any security issues with having them in there?