A hacker group today declared "may God have mercy on our souls" after releasing a "very friendly" exploit for the potentially devastating Apache flaw reported here on vnunet.com.

The hackers, calling themselves Gobbles Security on the BugTraq mailing list, warned: "Attached is a remote Apache 1.3.X exploit for the 'chunking' vulnerability. This version of the exploit works only on OpenBSD.

"Further, it is very ./friendly and all scriptkids/penetration testers should be able to run it without any trouble. My [sic] God have mercy on our souls."

The group, which only identifies itself through a hushmail address, went on to criticise security experts who have down-played the risk posed by the Apache flaw.

"'Experts' have argued as to why this is not exploitable on x86/*nix. This version of the exploit has been modified to convince these 'experts' that they are wrong," Gobbles claimed.

"This is for immediate release. This may not be sent to any 'advanced warning system', such as ARIS. This was written for the community, and not just a few companies with deep pockets full of the big dollar."

A spokesperson for Apache today told vnunet.com: "There are over 50 million Apache servers out there that potentially need to be patched. This is a humungous number.

"However, this exploit will not work on the latest versions 1.3.26 or 2.0.39. IT managers should upgrade and they should upgrade right now."

The script kiddie-friendly exploit confirms the fears expressed by Apache over how quickly the vulnerability would be targeted.

Two days ago founding member of the Apache Software Foundation, Mark Cox, told vnunet.com:: "We have to assume that serious and intelligent crackers will produce an exploit that targets this vulnerability in a couple of days.

"Then it's only a little while before it filters down to the script kiddies."

The latest versions of Apache servers can be found at Apache's website.