The remote host is missing an update to php4 announced via advisory DSA 351-1.

https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20351-1

The transparent session ID feature in the php4 package does not properly escape user-supplied input before inserting it into the generated HTML page. An attacker could use this vulnerability to execute embedded scripts within the context of the generated page. For the stable distribution (woody) this problem has been fixed in version 4:4.1.2-6woody3. For the unstable distribution (sid) this problem will be fixed soon. Refer to Debian bug #200736. We recommend that you update your php4 package.