(apologies for the length) Russ,
I can tell by your comments that you either have dealt with a lot of hosts or have worked or owned one. Well said. Having worked in the Hosting space for more than 10 years now, I can safely say there is absolutely no 100% way to prevent these exploits on any platform. That is not to say there are not more secure options than shared hosting, but even at that you may need the above average skill set. I can make an argument that shared CF hosting is probably more secure for half the people using Coldfusion out there. How and why? Well most probably have no one actively monitoring their servers. Not only do we have ourselves and tools looking at the servers, but our customers who make us instantly aware of an issue. Even a subpar host probably has a better lock down on CF than many non host managed CF users. How many can say they don't have root kits (or even know what that is) running on their server? Probably a lot on this list, but the average vps, cloud or dedicated user out there, ummm probably not. Example, there was a recent issue we had with hidden elements being injected to files on a shared server. This was actually a customer running Wordpress. How many out there would have found that and how quickly, say on a dedicated server with a site that only gets updated once a month. The best you can do is be vigilant, do your patching and homework and when the next compromise comes, take it on the cheek, mitigate, and take what you learned and try to improve for the next go around. And if you are a hosting customer, it's up to you to be aware and educated on what a host should and shouldn't be doing (aka this list). And then decide if it's time to move on or acceptable to you. Of course I'm speaking in general terms, as this is the case with not only CF, but all platforms. How many times a week do we hear about a drupal or Wordpress issue, just about as often as CF, but if not more. Quick fact, we have more dedicated, vps, cloud (vms) revenue effected by compromises than our shared customers. But let's not all forget the real problem here. It's not cf users, the host or Adobe's fault. It's the dirt bags out there who make escalations happen that result in the 3 am phone calls. Byron Mann Lead Engineer & Architect HostMySite.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354470 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
