Summary & Impact
This is a auth bypass vulnerability in Dart SDK that exposes sensitive information to unauthorized actors. For Dart SDK versions prior to 2.16.0, HttpClient in dart:io library includes sensitive headers when handling cross origin redirect if those headers are set explicitly when making a request. These sensitive headers may contain sensitive information that can be used by malicious actors to hijack a session, forging a request and impersonation. The relevant headers are "authorization", "www-authenticate", "cookie", and "cookie2"
By default, HttpClient handles redirection logic. If a request is sent to example.com with a sensitive header and it redirects to altostrat.com, they might not expect altostrat.com to receive authorization header or in worst case scenario altostrat.com might collect those credentials and use them to do actions without the user's consent.
Scope of the vulnerability
This vulnerability only impacts HttpClient API in the dart:io library and only when sensitive headers are set explicitly.
Affected platforms & versions
- All platforms with dart:io (except web)
- Dart versions prior to 2.16.0
- Flutter versions prior to 2.10.0
Mitigations if any
N/A
Workarounds if any:
The workaround is to explicitly handle redirect logic
Workaround example
final client = HttpClient();
var uri = Uri.parse('http://localhost/');
var request = await client.getUrl(uri);
request.followRedirects = false;
var response = await request.close();
while (response.isRedirect) {
await response.drain();
final location = response.headers.value(HttpHeaders.locationHeader);
if (location != null) {
uri = uri.resolve(location);
request = await client.getUrl(uri);
// Set the body or headers as desired.
request.followRedirects = false;
response = await request.close();
}
}Remediation options:
This issue is fixed in Dart SDK version 2.16. In Dart SDK version 2.16 or greater, the "authorization", "www-authenticate", "cookie", "cookie2" headers are dropped on cross-origin redirects.
References
Acknowledgments
We thank Misir Jafarov for reporting this issue.
Summary & Impact
This is a auth bypass vulnerability in Dart SDK that exposes sensitive information to unauthorized actors. For Dart SDK versions prior to 2.16.0, HttpClient in dart:io library includes sensitive headers when handling cross origin redirect if those headers are set explicitly when making a request. These sensitive headers may contain sensitive information that can be used by malicious actors to hijack a session, forging a request and impersonation. The relevant headers are "authorization", "www-authenticate", "cookie", and "cookie2"
By default, HttpClient handles redirection logic. If a request is sent to example.com with a sensitive header and it redirects to altostrat.com, they might not expect altostrat.com to receive authorization header or in worst case scenario altostrat.com might collect those credentials and use them to do actions without the user's consent.
Scope of the vulnerability
This vulnerability only impacts HttpClient API in the dart:io library and only when sensitive headers are set explicitly.
Affected platforms & versions
Mitigations if any
N/A
Workarounds if any:
The workaround is to explicitly handle redirect logic
Workaround example
Remediation options:
This issue is fixed in Dart SDK version 2.16. In Dart SDK version 2.16 or greater, the "authorization", "www-authenticate", "cookie", "cookie2" headers are dropped on cross-origin redirects.
References
HttpClientusage - https://api.dart.dev/dart-io/HttpClient-class.htmlAcknowledgments
We thank Misir Jafarov for reporting this issue.