SMS 1.9.2m and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) request1 or (2) request2 temporary files.