It writes data to files, it may be used to do privileged writes or write files outside a restricted file system.
Injection with this command usually requires injecting two arguments.
In the case of PHP’s mail(), it has been successfully exploited with
a single injection point because of the use of faulty sanitization
functions.
sendmail '-OQueueDirectory=/tmp' '-X/tmp/foo'