[hackcasual]

I think you need that + the ability to add anything to an environment variable. Not sure how easy that is.

edit: reading this looks like its exploiting CGI scripts, presumeably through the host header

[fabulist]

Setting an environment variable is often pretty easy, but the Host: header is the wrong way to go. The webserver will usually ignore a bad Host: header. User-agent: is much more availing.

[bodyfour]

CGI will typically pass most any header along as a HTTP_headername environment variable (HTTP_HOST is just one example) I'd expect most malicious exploiters to use a non-standard header, since User-Agent's value is often logged.