Re: This is getting overblown
As I understand things, it could be more insidious than that. For example, you have a PHP script you want to run. No problem since that's run directly through a dedicated module, right? However, say the PHP script at some stage wants to zip up a batch of files to send to the user or something like that. For the system to run the archiver, it will use the default shell (probably bash) as the launcher. Unless the PHP script has sanitised the HTTP_ environment variables, bash will run the exploit before proceeding to run the external command the script wanted.
I'm prepared to be proved wrong as I haven't tested this on an unpatched system but it sounds plausible.