Proftpd (<= pre6) passes user commands to snprinft(). snprintf(argv,len,command + host + etc); This makes it possible to insert formatstrings.