This vuln is in profile.php,when you click [Show Gallery],phpBB will show you Avatar gallery,asking you to choose one for yourself. The hole is in the form,after submitting phpBB will use the value of "avatarselect" as the path of the gallery directly,without filtering any illegal characters. Enjoy!