CVE-2005-3799

An attacker sends a crafted HTTP POST request to `search.php` with an extremely large value in the `search_keywords` parameter (e.g., 1 MB of data). Because phpBB does not validate input length, the oversized query is forwarded to the database, which rejects it when the packet exceeds MySQL's `max_allowed_packet` setting. The resulting error message discloses the SQL query structure and the server's file path [ref_id=1]. Alternatively, if PHP's `memory_limit` or `max_execution_time` is exceeded, the fatal error also reveals the installation path [ref_id=1][ref_id=2].

The vulnerability lies in `search.php` and `includes/functions_search.php` of phpBB 2.0.18. The application does not limit the size of user-supplied input (e.g., the `search_keywords` POST variable), allowing an oversized SQL query to be sent to the database server. This triggers verbose error messages that reveal SQL syntax or the full filesystem installation path.

The advisory does not include a patch. The recommended remediation is to implement input-length validation on all user-supplied variables before they are used in SQL queries, so that oversized payloads are rejected before reaching the database or exhausting PHP resources [ref_id=1][ref_id=2]. Without such limits, the application remains dependent on PHP environment settings (e.g., `memory_limit`, `max_execution_time`) to prevent information disclosure.