Looks like Sun's ONE Server has a hole such that a hacker could gain control of the Web server. The problem is in the module that connects the Application server to the Web server.
Apparently there is a patch for ver. 6.5 but no patch has been released for ver. 6.0 (@Stake, who published the bulletin provided a workaround).
Check out the whole story here: