Application Express Version #: 4.2.0.00.27
We’ve recently encountered an error in the Oracle APEX Change Password functionality.
We’ve found the following:
This is a security issue for us, as our application is used by external clients.
We performed initial investigations and thought this issue may occurred when the APEX Application Build status is Run And Build Application, and the user is prompted to change their password. In this scenario if the user enters the new password details and selects the [Return] button the APEX Designer screen is displayed.
We’ve found that an external client received the APEX Designer login screen after changing the password when the APEX Application Build Status was Run Application Only.
Can someone provide some help to resolve this issue.
Many Thanks in advance.
when an application with APEX authentication requires a password change, it navigates to the change password page 4155:50. It also passes the application's home link as deep link, so the change password page knows where to redirect to, when you hit [Return]. I have never heard of a case where this redirects to 4550:1. Can you please post the exact page flows (app id : page id) for this interaction?
Btw, for internet facing systems, you should really consider using a runtime only installation. This significantly reduces the available interfaces. In your scenario, it is trivial for an external client (or an attacker who maybe scanned IP ranges and found your server) to directly navigate to the APEX login page and make some login attempts.
Thanks for you response.
Please let me clarify the following:
As requested the page flows are as follows:
The user Enter old and new password
The user Hit [Return]
I hope this is helpful.
thanks for the additional information.
I meant that an internet facing site maybe should not have the APEX development environment installed at all. You can just install the runtime components of APEX, to remove attack vectors.
Intermittent issues are always tricky to diagnose. How often does this happen? Are you seeing anything suspicious in the web server logs? Speaking of web server, what are you using? A bug can never be ruled out, but I suspect that there is a configuration issue somewhere. If you have a support contract, I suggest that you open a service request. You could give login credentials of your app to support, to let them diagnose the issue.