move_uploaded_file in PHP does not does not check for the base directory (open_basedir), which could allow remote attackers to upload files to unintended locations on the system.
http://www.securityfocus.com/bid/4325
http://www.iss.net/security_center/static/8591.php
http://online.securityfocus.com/archive/1/263259
http://online.securityfocus.com/archive/1/262999