CVE-2021-47901 Overview
CVE-2021-47901 is a CSV Injection vulnerability affecting Dirsearch version 0.4.1, a popular web path scanner used by security professionals. The vulnerability exists in the CSV report generation functionality, specifically when users employ the --csv-report flag. Attackers can exploit this flaw by crafting malicious server redirects containing comma-separated paths with embedded Excel formulas, which are then written directly to the generated CSV report without proper sanitization.
Critical Impact
Attackers can inject malicious formulas into CSV reports generated by Dirsearch, potentially leading to arbitrary code execution when the report is opened in spreadsheet applications like Microsoft Excel or LibreOffice Calc.
Affected Products
- Dirsearch 0.4.1
Discovery Timeline
- 2026-01-27 - CVE CVE-2021-47901 published to NVD
- 2026-01-29 - Last updated in NVD database
Technical Details for CVE-2021-47901
Vulnerability Analysis
This CSV Injection vulnerability (classified as CWE-1236) occurs due to improper neutralization of formula elements in the CSV export functionality of Dirsearch. When Dirsearch scans a target web application and encounters HTTP redirects, it records the redirect URLs in its output. If an attacker controls the web server being scanned, they can configure malicious redirects containing specially crafted paths with embedded spreadsheet formulas.
The attack exploits how spreadsheet applications interpret certain characters at the beginning of cell values. Characters such as =, +, -, and @ are treated as formula prefixes by applications like Microsoft Excel. When a security analyst opens the generated CSV report, the malicious formulas execute automatically, potentially leading to data exfiltration, system compromise, or other malicious activities.
Root Cause
The root cause of this vulnerability is the lack of input sanitization when writing data to CSV files. Dirsearch's CSV report generation functionality does not escape or prefix potentially dangerous characters that could be interpreted as formula syntax by spreadsheet applications. This allows user-controlled data (in this case, redirect URLs from scanned servers) to be written directly to the output file without proper encoding.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must first set up a malicious web server with crafted redirect responses. When a victim uses Dirsearch to scan this server with the --csv-report flag enabled, the malicious payloads are recorded in the CSV output. The attack completes when the victim opens the generated CSV file in a spreadsheet application that interprets and executes the embedded formulas.
The exploitation technique involves configuring a web server to return HTTP redirect responses where the Location header contains comma-separated values with Excel formula syntax. For example, a redirect to a path like =cmd|'/C calc.exe'!A0 would be written to the CSV file, and upon opening in Excel, could execute system commands.
Detection Methods for CVE-2021-47901
Indicators of Compromise
- CSV files generated by Dirsearch containing cells starting with formula characters (=, +, -, @, \t, \r)
- Unusual redirect URLs in web server logs containing comma-separated values or formula syntax
- Unexpected process execution immediately after opening CSV files in spreadsheet applications
- Network connections initiated from spreadsheet applications to external servers
Detection Strategies
- Monitor file system activity for CSV files created by Dirsearch that contain suspicious formula patterns
- Implement endpoint detection rules to alert on spreadsheet applications spawning child processes
- Use YARA rules to scan CSV files for common CSV injection patterns before opening
- Enable logging on web servers to detect reconnaissance scans with formula payloads in response headers
Monitoring Recommendations
- Configure SentinelOne to monitor for process chains where Excel or LibreOffice spawn command-line interpreters
- Implement network monitoring to detect outbound connections from spreadsheet applications to untrusted destinations
- Enable file integrity monitoring on directories where Dirsearch outputs are typically stored
How to Mitigate CVE-2021-47901
Immediate Actions Required
- Upgrade Dirsearch to a version newer than 0.4.1 that includes proper CSV sanitization
- Avoid using the --csv-report flag when scanning untrusted or potentially malicious web servers
- Open CSV files in text editors first to inspect for suspicious content before opening in spreadsheet applications
- Configure spreadsheet applications to disable automatic formula execution for imported CSV files
Patch Information
Users should update to the latest version of Dirsearch available from the GitHub Directory Scanner repository. The vulnerability is documented in Exploit-DB #49370 and the VulnCheck Security Advisory.
Workarounds
- Manually prefix all CSV cell values with a single quote (') before opening in spreadsheet applications
- Use alternative output formats such as JSON or plain text instead of CSV when available
- Process CSV output through a sanitization script that escapes formula-triggering characters
- Open CSV files in Google Sheets (browser-based) which has more restrictive formula execution policies
# Configuration example
# Sanitize Dirsearch CSV output before opening in Excel
# This script prefixes potentially dangerous cells with a single quote
sed -i "s/^=/\'=/g; s/,=/,\'=/g; s/^+/\'+/g; s/,+/,\'+/g; s/^-/\'-/g; s/,-/,\'-/g; s/^@/\'@/g; s/,@/,\'@/g" dirsearch_report.csv
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
