vdr before 1.2.6 does not securely create files, which allows attackers to overwrite arbitrary files.