If they were after your sensitive data, they could easily create a back-door in their software and access your server that way.
I really don't feel like hashing (no pun intended :D) this over and over, but there is much more to security than simply encrypting data. There are LEGAL aspects to security too. If someone breaks down my defenses, gets through my firewalls, even uses a back-door in seemingly legitimate software, I can protect myself legally by showing I took reasonable measures to protect my data. However, if I send a configuration file anyplace out of my control, knowing that it has valid user names and passwords, and that information is compromised, any lawyer in the world, not even a good one, will eat me alive in a courtroom. There is far more involved than simple "trust me" or "if they really wanted to...".
Also, since you have 150+ users and run a commercial website, I would suggest you to get some sort of dynamic server based language(PHP, Perl, Python, ASP.NET, ect).
Most of my site is dynamic content, but I choose to use compiled executables instead of less secured scripting languages. However, I expect the web server software to do a few basic functions, one of which is user management. There is no reason anyone should have to reinvent the wheel on things that properly belong in the server software to begin with.
For the record, Aprelium support was
very responsive (as always) and to the best of my knowledge, the problem is solved. I will say that I've found other web server packages to be a bit more mature in certain areas, such as native SSL support and user management, but I have not once found a package that was so well supported as Abyss. It is mainly because of the support that Aprelium has provided now and in the past, that convinced me to switch from Sambar to Abyss on my commercial server.
