The remote host is missing an update to mantis announced via advisory DSA 153-1.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20153-1

Joao Gouveia discovered an uninitialized variable which was insecurely used with file inclusions in the mantis package, a php based bug tracking system. The Debian Security Team found even more similar problems. When these occasions are exploited, a remote user is able to execute arbitrary code under the webserver user id on the web server hosting the mantis system. These problems have been fixed in version 0.17.1-2.1 for the current stable distribution (woody) and in version 0.17.3-3 for the unstable distribution (sid). The old stable distribution (potato) is not affected, since it doesn't contain the mantis package. We recommend that you upgrade your mantis packages immediately.