Calling download/file.php with an empty avatar parameter can result in an E_NOTICE message containing the full path to the phpBB installation.
This is the case when the error_reporting setting (e.g. from php.ini) contains E_NOTICE.
The notice is trown in line
because the $filename string doesn't have an offset 0 because it's an empty string.
This has been reported by evilzone.org