Debian Security Advisory 1296-1 - It was discovered that the ftp extension of PHP, a server-side, HTML-embedded scripting language performs insufficient input sanitising, which permits an attacker to execute arbitrary FTP commands. This requires the attacker to already have access to the FTP server.
d3c6df087bbead582c60dfc8e0548646c6d296403aeda1230fa3321797dc4092