Level3 -> Level4

This program really should have come after the level 5 program, but oh well... The danger comes from the user's ability to manipulate environment variables like IFS and the path. The user can alter the Internal Field Separator to '/' so /bin/date is interpreted as a command to execute 'bin' with the argument 'date'. The attacker can modify their PATH, so they control where the system looks for the program 'bin', which they have written or linked to their target (/bin/pass or /bin/sh). The 'bin' program is executed with enhanced privileges.

The danger here was that the IFS environment variable was allowed to carry over from the shell.