The remote host is running a vulnerable version of FlashCanvas.
Versions of FlashCanvas 1.5 and possibly earlier are vulnerable to a flaw that allows a reflected cross-site scripting (XSS) attack, due to lack of input validation of the referer header when submitted to the proxy.php script. An attacker could leverage this to execute arbitrary code in the user's browser within the security context of the browser and the server.
Upgrade to Flash Canvas Pro 1.6 or later. The vendor also advises removing proxy.php from the web directory if upgrading is not possible.