The product uses a fixed or controlled search path to find
resources, but one or more locations in that path can be under the control of
unintended actors.
Extended Description
Although this weakness can occur with any type of resource, it is
frequently introduced when a product uses a directory search path to find
executables or code libraries, but the path contains a directory that can be
modified by an attacker, such as "/tmp" or the current working directory.
Product searches /tmp for modules before other
paths.
Potential Mitigations
Phase
Description
Architecture and Design
Assume all input is malicious. Use a standard input validation
mechanism to validate all input for length, type, syntax, and business
rules before accepting the data to be displayed or stored. Use an
"accept known good" validation strategy.
Do not rely exclusively on blacklist validation to detect malicious
input or to encode output. There are too many variants to encode a
character; you're likely to miss some variants.
Inputs should be decoded and canonicalized to the application's
current internal representation before being validated. Make sure that
your application does not decode the same input twice. Such errors could
be used to bypass whitelist schemes by introducing dangerous inputs
after they have been checked.
Unlike untrusted search path (CWE-426), which inherently involves control
over the definition of a control sphere, this entry concerns a fixed control
sphere in which some part of the sphere may be under attacker control. This
is not a clean fit under CWE-668 or CWE-610, which suggests that the control
sphere model needs enhancement or clarification.
Content History
Submissions
Submission Date
Submitter
Organization
Source
PLOVER
Externally Mined
Modifications
Modification Date
Modifier
Organization
Source
2008-07-01
Eric Dalci
Cigital
External
updated Potential Mitigations,
Time of Introduction
2008-09-08
CWE Content Team
MITRE
Internal
updated Relationships, Observed Example, Other Notes,
Taxonomy Mappings
Description
