password reset link security vulnerability

[tcnichol]

Host Header Injection: By capture the POST request for a password reset sent
to https://cpmr.tacc.utexas.edu/reset, a malicious user can edit the Host
entry in the header. This will modify the password reset link sent to the user
to direct them to the attacker's site.

[tcnichol]

This may fix the issue. Need to upgrade secure social.
jaliss/securesocial#601

[longshuicy]

@lmarini and I brainstormed some possible fix:

1. instead of directly using "@securesocial.core.providers.utils.RoutesHelper.signUp(token).absoluteURL(IdentityProvider.sslEnabled)" compare this link with the host name to see if they match
   2. use the "host_ip" environment variable or introduce another hostname environment variable
2. when compare, if doesn't match, replace the hostname with that

In below places:

clowder/app/views/ss/mails/passwordResetEmail.scala.html

Line 8 in f28c203

<a href="@securesocial.core.providers.utils.RoutesHelper.resetPassword(token).absoluteURL(IdentityProvider.sslEnabled)">

and

clowder/app/views/ss/mails/signUpEmail.scala.html

Line 8 in f28c203

<a href="@securesocial.core.providers.utils.RoutesHelper.signUp(token).absoluteURL(IdentityProvider.sslEnabled)">link</a> to complete your registration

[longshuicy]

Host_IP see here:

clowder/conf/application.conf

Line 24 in f28c203

hostIp = "localhost"

In the .html template, here is an example of how you get variable (e.g. sortInMemory)

clowder/app/views/spaces/collectionsGrid.scala.html

Line 7 in f28c203

@if(play.Play.application().configuration().getBoolean("sortInMemory")) {

play.Play.application().configuration().getBoolean("sortInMemory")

[robkooper]

Problem is that the hostIp is almost never set, this was a hack for one of the previewers. Since the URL can change we tried to not hardcode this in the configuration.

The following code try to see what the URL should be.

https://github.com/clowder-framework/clowder/blob/develop/app/util/RequestUtils.scala#L15

https://github.com/clowder-framework/clowder/blob/develop/app/controllers/Utils.scala#L18

[longshuicy]

Problem is that the hostIp is almost never set, this was a hack for one of the previewers. Since the URL can change we tried to not hardcode this in the configuration.

The following code try to see what the URL should be.

https://github.com/clowder-framework/clowder/blob/develop/app/util/RequestUtils.scala#L15

https://github.com/clowder-framework/clowder/blob/develop/app/controllers/Utils.scala#L18

Maybe it's time we introduce another config variables? The idea is we need to have control on the host in the email sent out to avoid host header injection.. i think...

[longshuicy]

Problem is that the hostIp is almost never set, this was a hack for one of the previewers. Since the URL can change we tried to not hardcode this in the configuration.

The following code try to see what the URL should be.

https://github.com/clowder-framework/clowder/blob/develop/app/util/RequestUtils.scala#L15

https://github.com/clowder-framework/clowder/blob/develop/app/controllers/Utils.scala#L18

I think the similar idea of getBaseUrlAndProtocol triggered this bug report in the first place? That's a known bug in secure social: jaliss/securesocial#601