The bug that's getting the press involves nothing so exotic --- it's a
standard HTTP request for a URL of the form:
http://victim.com/?foo=XXXXXXXXXXXXXXXXX....
with the "correct" number of X's (typically in the range of a few
thousand). Note that:
*) The number of X's required to kill web service seems to vary
from installation to installation
*) However, *precisely* that many X's must be used -- one fewer,
and the query is processed normally; one more, and you get a
bogus 40x error of some kind, but the server remains up.
An exploit for the bug, written in Java for no particular reason,
is available at http://www.eden.com/~tfast/jihad.html (along with
documentation which seems to encourage hostile use in the usual
"of course no one responsible would actually *want* to... nudge
nudge, wink wink" style).
rst