Security: password reset email host injection

[platypii]

It is possible for an attacker to trigger securesocial to send an authentic password reset email to a user, but with a malicious link included.

Steps:

1. Fill out reset password form with victim's email address
2. Intercept or modify outgoing request, add http header "Host: evildomain.com"
3. Send POST request to securesocial
4. Victim will receive an email with a link to reset their password, but pointed at evildomain.com

This happens because RoutesService.scala:115 uses Call.absoluteURL, which will pick up the domain from the Host field.

[platypii]

It's worth mentioning that this allows evildomain.com to receive the password reset token, and therefore could reset the password of anyone who clicks the link.

[jaliss]

@platypii thanks a lot for reporting this. I added 2 properties that let you configure the host and port of the application. From RoutesService I'm now using a version of Call.absoluteURL that receives the host/port instead of picking it up from the Host header.