It's possible to access directories above basedir with session_save_path().
vulners.com/securityvulns/securityvulns:doc:15342