Calling download/file.php with an empty avatar parameter can result in an E_NOTICE message containing the full path to the phpBB installation.

This is the case when the error_reporting setting (e.g. from php.ini) contains E_NOTICE.
The notice is trown in line

if ($filename[0] === 'g')

because the $filename string doesn't have an offset 0 because it's an empty string.

This has been reported by evilzone.org