The default ESAPI.properties file has an insecure default configuration for the 
Executor component. The configuration is also OS specific (specific to Windows 
standard OS install).

Here is the relevant contents for the two properties related to the Executor 
interface as defined in "configuration/esapi/ESAPI.properties":

# ESAPI Executor
# CHECKME - Not sure what this is used for, but surely it should be made OS 
independent.
Executor.WorkingDirectory=C:\\Windows\\Temp
Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System3
2\\runas.exe

Looking at the code in 
org.owasp.esapi.reference.DefaultExecutor.executeSystemCommand(), it is clear 
that the property "Executor.ApprovedExecutables" is intended to be a white-list 
of a set of approved executables, separated by a comma.

As it is defined, by default, both "cmd.exe" and "runas.exe" are permitted, 
which is overly permissive at best.

The default for the "Executor.ApprovedExecutables" property should be the empty 
string so that a development team is forced to specify what is acceptable to 
their specific application.

Set the 2 Executor properties to the empty string.