unless the server itself is vulnerable - like if you are running a very old version of PHP or whatever where you could just type in the right thing into the URL and do all kinds of nasty things.
and you don't even have to know what you're doing. when a new version comes out to fix a security problem, how to take full advantage of that problem quickly becomes public knowledge that can then be exploited by a 12 year old retard who just happened to be in the right chatroom.
especially if you use open-source software, you HAVE to keep it up-to-date, which is a problem when you don't have that kind of access to your web host's server and they don't see it as a big deal. :/
i've been paranoid as hell about security ever since a buddy called me up from an old job and in the course of conversation mentioned an old script i put on our server had been hijacked as a spam-remailer.
