CWE-428: Unquoted Search Path or Element
CWE版本: 4.18
更新日期: 2025-09-09
弱点描述
The product uses a search path that contains an unquoted element, in which the element contains whitespace or other separators. This can cause the product to access resources in a parent path.
扩展描述
If a malicious individual has access to the file system, it is possible to elevate privileges by inserting such a file as "C:\Program.exe" to be run by a privileged program making use of WinExec.
常见后果
影响范围: Confidentiality Integrity Availability
技术影响: Execute Unauthorized Code or Commands
潜在缓解措施
阶段: Implementation
描述: Properly quote the full search path before executing a program on the system.
阶段: Implementation
策略: Input Validation
阶段: Implementation
策略: Input Validation
描述: Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.
观察示例
参考: CVE-2005-1185
Small handful of others. Program doesn't quote the "C:\Program Files\" path when calling a program to be executed - or any other path with a directory or file whose name contains a space - so attacker can put a malicious program.exe into C:.
参考: CVE-2005-2938
CreateProcess() and CreateProcessAsUser() can be misused by applications to allow "program.exe" style attacks in C:
参考: CVE-2000-1128
Applies to "Common Files" folder, with a malicious common.exe, instead of "Program Files"/program.exe.
引入模式
| 阶段 | 说明 |
|---|---|
| Implementation | - |
适用平台
编程语言
操作系统
分类映射
| 分类名称 | 条目ID | 条目名称 | 映射适配度 |
|---|---|---|---|
| PLOVER | - | Unquoted Search Path or Element | - |