It's possible to bypass safe mode limitation by using move_uploaded_file call and MySQL library functions to access files of different users.
vulners.com/securityvulns/securityvulns:doc:2444
vulners.com/securityvulns/securityvulns:doc:2654