Actually, we allow a rename in a directory if that directory is owned by the same user id as the running script.  So this one is not a bug.  Verify this statement and re-open if you find that this is not the case.

Just to follow up on this because I can already see your mind working on how this might be exploited through a script making a copy of itself and now having the web server user id as its owner.  The theory is that the web server user id does not own any system critical directories and user directories are supposed to be owned by individual users so the only potential for an exploit would be a cloned script renaming something in a directory created by another user through a web interface, but that is a bit of a tradeoff I made on purpose way back when.

mkdir test;
ls -ld test drwxr-xr-x   2 forum    forum        4096 May 12 11:33 test

ls -l a.php
-rw-rw-rw-   1 www      www            44 May 12 10:57 a.php
a.php:
<?php rename('test', 'test3'); ?>

Script runs without errors, end result:

ls -ld test3 drwxr-xr-x   2 forum    forum        4096 May 12 11:35 test3

mkdir test;
ls -ld test drwxr-xr-x   2 forum    forum        4096 May 12 11:33 test

ls -l a.php
-rw-rw-rw-   1 www      www            44 May 12 10:57 a.php
a.php:
<?php rename('test', 'test3'); ?>

Script runs without errors, end result:

ls -ld test3
drwxr-xr-x   2 forum    forum        4096 May 12 11:35
test3

It works with files as well as directories.

Perhaps I didn't explain it well.  Safe-mode also checks the directory that a.php is in.  If the owner of a.php matches the owner of '.' then the rename is allowed.