We have identified a VAPT issue in our Oracle APEX application deployed on
ORDS 24.1.11 running on Apache Tomcat 9.0.11.

Observed behavior:
When the application URL host is replaced with another value, the
application redirects using that modified host instead of keeping the
redirect restricted to the approved domain. For example, if the original
host is replaced, the response follows the changed host value.

For example, when the application is accessed using sdcoradb5.com:8083, and
the host value is replaced with bing.com, the application redirects using
the modified host value instead of the approved application domain.

This indicates that the request host may be getting trusted in the Tomcat
layer, which can lead to a host header injection or unvalidated redirect
issue.

Oracle support has advised that this needs to be checked at the Tomcat
layer, so we are requesting your help to review the configuration and
identify the root cause.

Expected behavior:

The application should only redirect to the approved application domain and
should ignore or reject unexpected host values.


Please investigate and suggest the required configuration or remediation
steps.

Reply via email to