OpenSSH version 2.9 and earlier, with X forwarding enabled, allows a local attacker to delete any file named 'cookies' via a symlink attack.
http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.html
http://archives.neohapsis.com/archives/bugtraq/2001-06/0007.html