But a shell will rarely be involved in executing a CGI, unless that CGI itself executes one. And who still uses CGI scripts?

Not to say nobody will be bitten by that, but I don't think that's going to be all that widespread.

Have you ever looked at the backend web interface of some of the most popular residential wifi routers? It's shell script. Why? It's a cheap and accessible interpreted language; no need to clutter up your tiny embedded OS with the huge requirements of php, perl, etc when you have all the tools you need in busybox.

CGI apps execute shell scripts all the time. Even if an app executes an app executes an app executes an app, if that app four layers down runs a shell script, the environment is still passed down. Turtles, dude.

Fortunately they are unlikely to install bash at all on a router.

Routers definitely have shells, it's just a matter of whether it's bash or something else that might also be vulnerable.

Bash is big and bloated, and you already have the busybox sh probably. However apparently some do have bash....

Many people don't realize they use CGI scripts, but a lot of people are going to discover they do today.

It could be a simple one-line script that wraps the real command, setting memory limits and the like first. (I used a similar trick to prevent Skype using up all my memory in the past.)

agreed, also Browser User Agent, referrer are all passed by the client and sent to Apache, which pushes them into environment variables.