PHP upstream release on 20070504 stated "- Fixed CRLF injection inside ftp_putcmd(). (CVE-NO-NAME, by loveshell[at]Bug.Center.Team)"
text "A flaw was found in the PHP 'ftp' extension. If a PHP script used this extension to provide access to a private FTP server, and passed untrusted script input directly to any function provided by this extension, a remote attacker would be able to send arbitrary FTP commands to the server. (CVE-2007-2509)"
This issue was addressed in: Red Hat Application Stack: http://rhn.redhat.com/errata/RHSA-2007-0355.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2007-0348.html http://rhn.redhat.com/errata/RHSA-2007-0889.html http://rhn.redhat.com/errata/RHSA-2007-0888.html http://rhn.redhat.com/errata/RHSA-2007-0349.html Fedora: updated to fixed upstream version