Corgea LogoCorgea Security Hub

CWE-428: Unquoted Search Path or Element

Learn about CWE-428 (Unquoted Search Path or Element), its security impact, exploitation methods, and prevention guidelines.

What is Unquoted Search Path or Element?

• Overview: An unquoted search path or element vulnerability occurs when a software application uses a search path with unquoted elements that include spaces or other separators, allowing attackers to manipulate which executable is run by the application.

• Exploitation Methods:

  • Attackers can exploit this vulnerability by placing a malicious executable in a location that the application will mistakenly run due to the unquoted path.
  • Common attack patterns include creating files with names like "C:\Program.exe" to intercept execution by a higher-privileged program.

• Security Impact:

  • Direct consequences include unauthorized execution of malicious code, potentially with elevated privileges.
  • Potential cascading effects may involve further system compromise, data breaches, or the spread of malware.
  • Business impact could include reputational damage, financial loss, and legal ramifications if sensitive information is exposed.

• Prevention Guidelines:

  • Specific code-level fixes include always quoting paths that contain spaces when specifying executable paths in code.
  • Security best practices involve thorough input validation, avoiding reliance on environment variables for path configuration, and using full paths when invoking executables.
  • Recommended tools and frameworks include static analysis tools to detect unquoted paths and code review processes to ensure secure coding practices.
Corgea can automatically detect and fix Unquoted Search Path or Element in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

import os
import subprocess

# Vulnerable: Unquoted search path allows execution of unintended executables
subprocess.run("C:\\Program Files\\MyApp\\my_script.exe")

Explanation:

  • The code above attempts to run a script located at C:\Program Files\MyApp\my_script.exe.
  • Because the path includes spaces and is unquoted, it can lead to a security vulnerability.
  • An attacker could place a malicious executable at C:\Program.exe, which could be executed instead of the intended script due to how the system interprets the unquoted path.

How to fix Unquoted Search Path or Element?

To fix this issue, always ensure that paths with spaces are quoted. This prevents the operating system from misinterpreting the path and executing unintended programs. It's a best practice to use functions that handle paths correctly, such as those provided by the os.path or shlex modules in Python. Additionally, avoid using shell=True with subprocess calls unless absolutely necessary, as it can introduce additional vulnerabilities.

Fixed Code Example

import os
import subprocess
import shlex

# Fixed: Use shlex.quote to safely quote the path
safe_path = shlex.quote("C:\\Program Files\\MyApp\\my_script.exe")
subprocess.run(safe_path)

Explanation:

  • The fixed code uses shlex.quote to safely quote the path, ensuring it is interpreted correctly by the subprocess without executing unintended files.
  • This approach mitigates the CWE-428 vulnerability by ensuring that paths are safely quoted and correctly interpreted by the system.
  • Additionally, using shlex.quote helps prevent command injection vulnerabilities by properly escaping the path.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-428: Unquoted Search Path or Element and get remediation guidance

Start for free and no credit card needed.