Brad Wood

I agree. This is less of a “ColdFusion Fail” and more of a “SysAdmin fail”. It sucks that CF had a couple big exploits that came out last year, but they were only only applicable to un-hardened servers and were patched within weeks by Adobe. ColdFusion E-mails you when new patches come out and visually alerts you in its admin interface. No need to pay a consulting company $6K, just check your mail and click the Update button!

Even so, I agree with outsourcing CC processing. Most companies just aren’t up to it. Stripe allows you to collect CC data right “in your site”, but it’s submitted straight to their servers over secure Ajax and never touches your servers.

Wil Genovese

Brad, that is only for ColdFusion 10 and up. ColdFusion 9 and below have a manual patch system that is rather convoluted and complex. Some of these servers that were exploited were ColdFusion 8 which is long past End of Life for updates. Many times the hosting company isn’t even applying the updates unless specifically asked and even then many hosting companies don’t have the technical expertise to apply the patches correctly. I know this from our experience in fixing servers that have been ‘patched’ by a hosting provider. The short story is that you should hire an expert to manage your servers no matter what platform you are using. ColdFusion has been taking a few punches to the face this past year, but so have all other platforms.

Adobe ขี้เกียจจ่ะ