Serverside script injection?

[joh ket <johket () hotmail com>]

Hi there.

I have a question regarding serverside script injection. Does it exist - 
is it possible?

In the past there were some vulnerabilities in serverside scripts. It was 
possible to execute OS-commands through URL/userinput manipulation, 
I assume this happened mostly with CGI and perl scripts. Was this just 
based on the way the variables (userinput) was used in OS commands, 
and if the 'user data' was able to break out the intended command?

I think it depends on the applicationserver software if 'serverside script 
injection' is possible or not (assuming the programmer/coder does not want 
any security). In my opinion most important is the way that the 
applicationserver handles variables. The possibility for variables to 
contain commands...

Is it (theoretically) possible on ASP servers to inject 'malicious' code 
into the webpage, so that it is processed on the serverside?
Is it possible on PHP or Coldfusion?

Are there any real life examples? 
(so that I can play with it in my testlab)

Thank you for all reactions!

Regards,