While there is far more to hardening a server than this single example, this is an often overlooked security issue in many default installations of RHEL and RHEL-based distributions (CentOS, Scientific Linux, etc.)
CentOS and RHEL come with the isdn4k-utils and coolkey packages installed by default for graphical workstations. Unfortunately, these packages create world-writable directories which binaries and scripts may execute from. While it is common to tighten /tmp, /var/tmp and /usr/tmp against execution attacks, these directories often go un-noticed.
If you do not use these utilities (and few servers do), they can be easily removed:
yum remove isdn4k-utils coolkey
Of course if you are using these, then you should find a way to secure these mountpoints with the noexec mount option. This can be done with a loopback filesystem mounted atop the offending mountpoints or with separate LVM volumes for each.
Traditionally, /var does not run executable code so you could mount the entire /var mountpoint as noexec. Its a great security practice if you can support this, however, there are some packages which expect to run their update scripts out of /var/tmp/ so be prepared to fix some broken package updates or installations. When you do have a package error, simply mount /var as executable:
mount -o remount,rw,exec /var
install the package, and then disable execution on the mountpoint:
mount -o remount,rw,noexec /var
I recommend nosuid and nodev mount options for these types of mount points as well to restrict less common attack vectors.