PHP system() function - does it use shell to execute command?

Question

I read a related post and I get the impression that the system() function in php does not use a shell. But then saw the following example posted on owasp - example 6 on the page:

The following PHP code snippet is vulnerable to a command injection attack:

<?php
print("Please specify the name of the file to delete");
print("<p>");
$file=$_GET['filename'];
system("rm $file");
?>

The following request and response is an example of a successful attack: Request

http://127.0.0.1/delete.php?filename=bob.txt;id

Response

Please specify the name of the file to delete

uid=33(www-data) gid=33(www-data) groups=33(www-data) 

Without a shell, why would system fall for the semicolon OR does system() function implementation in php identifies the semicolon in that way ?

Answer 1

It does use the shell. I didn't see any answer in the question you linked to that said it doesn't.

The documentation says:

system() is just like the C version of the function in that it executes the given command and outputs the result.

Since the C function uses the shell, so does the PHP function.

The documentation is slightly misleading, because the C function doesn't return any of the output of the command, while the PHP function returns the last line of the output.

Answer 2

Yes, and this example will show you :

echo system("echo $0");