It's possible to traverse working directory protection by using writing mode (srpath://…/ file prefix for fopen()).
vulners.com/securityvulns/securityvulns:doc:15888