you were correct in your fear. I am not sure what rights the function would be granted but it could still be a big problem.
This solution is from the top of my head with only given it a few min through so check it with Till or Falko but here is how I would make it more secure:
instead of the $value holding the directory you could use $value as a number. Then the number would triger an if statement that would then delete the coresponding directory.
lets say $value = 2;
if( value == 1)
remove rf /var/www/web[id]/web/joomla/
else if(value == 2)
remove rf /var/www/web[id]/web/phpbb2/
only problem with this is that web[id] would need to be properly checked to make sure it only includes proper characters ([A-Z][a-z][0-9] and I believe '_' check with Till) Have the statement die on any other values detected. Few other checks might be wise to run on web[id]. Till would be your best man to ask about the functions provided by php for this.
I still dont like web[id] in there but for simplicity sake I am not going to worry.
Later to make it easier to update you could place the list of directories in a static, readonly, config file and have the program read them and place them in a static array. still need to check the values but this should make it easier to update.