I am thoroughly impressed. A combination of reflected XSS, insecure file uploads and bad passwords allowed the attackers to gain root on one of the Apache Foundation's servers, and gain non-privileged shell on another one. Here is the story directly from Apache.
In my opinion the most interesting part here is the fact that reflected XSS was used as the initial step. I always thought XSS, particularly the reflected sort, is somewhat over-hyped. I don't think so any more.