Consider a hypothetical network server whose job includes generating e-mail to designated recipients. Such a server might accept e-mail addresses from a socket and pass those addresses to the UNIX Sendmail program. The code fragment to do that might look like this:
chomp($email =<$sock>); system "/bin/mail $email <Mail_Message.txt";
After reading the e-mail address from the socket, we call system() to invoke /usr/lib/sendmail with the desired recipient's address as argument. The standard input to sendmail is redirected from a canned mail message file.
This script contains a security hole. A malicious individual who wanted to exploit this hole could pass an e-mail address like this one:
email@example.com </etc/passwd; cat >/dev/null ...