showImg.php in EPractize Labs Subscription Manager, possibly 1.0, allows remote malicious users to overwrite arbitrary files via the db parameter.
epractizelabs subscription manager 1.0