This bug is not realized in a vanilla phpBB install, but ...

Scenario:
MOD has a database installer located at /install_awsm_mod/index.php. That file contains a call to login_box() in the event that the user is not logged in.
So build_url() will create S_LOGIN_ACTION as ../ucp.php?redirect=urlencode(../install_awsm/mod/index.php)

So ucp.php passes this into meta_refresh(), which in turn calls redirect(). Redirect eventually calls

			$page_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($pathinfo['dirname'])));

Which returns FALSE. Why? $pathinfo['dirname'] does not exist. Why?

print($pathinfo['dirname']); // displays ../install/install_awsm_mod/index.php

So of course, being at /ucp.php, "../" takes us out of the phpBB root, and into no-man's land.

The resulting redirect is

http://localhost/phpBB3/../../../../../index.php?&sid=258a07f66530b7fcedfe6c9c10bbcfd2

(the exact number of ../ depends on how many directories from / the phpBB root is.)
Browsers interpret this as "redirect to domain root", so http://localhost/ loads in error (in my case).

Ideally, the redirect would work as planned, but at least a somewhat better case would be to return to the phpBB Index page.