platypii
commented
7 years ago It's worth mentioning that this allows evildomain.com to receive the password reset token, and therefore could reset the password of anyone who clicks the link.
Closed platypii closed 7 years ago
platypii
commented
7 years ago It's worth mentioning that this allows evildomain.com to receive the password reset token, and therefore could reset the password of anyone who clicks the link.
jaliss
commented
7 years ago @platypii thanks a lot for reporting this. I added 2 properties that let you configure the host and port of the application. From RoutesService I'm now using a version of Call.absoluteURL that receives the host/port instead of picking it up from the Host header.
It is possible for an attacker to trigger securesocial to send an authentic password reset email to a user, but with a malicious link included.
Steps: 1) Fill out reset password form with victim's email address 2) Intercept or modify outgoing request, add http header "Host: evildomain.com" 3) Send POST request to securesocial 4) Victim will receive an email with a link to reset their password, but pointed at evildomain.com
This happens because RoutesService.scala:115 uses Call.absoluteURL, which will pick up the domain from the Host field.