Submit Feedback
Legacy Knowledge Base
Published Jun. 30, 2025

Possible Host Header Attack Vulnerability

Written By

Alex Chau

How To articles are not official guidelines or officially supporteddocumentation. They are community-contributed content and may not alwaysreflect the latest updates to Liferay DXP. We welcome your feedback toimprove How to articles!

While we make every effort to ensure this Knowledge Base is accurate, itmay not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with anyfeedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack"publication program, made available for informational purposes. Articlesin this program were published without a requirement for independentediting or verification and are provided "as is" withoutguarantee.

Before using any information from this article, independently verify itssuitability for your situation and project.
Note: please note that Liferay has renamed its Liferay Experience Could offerings to Liferay SaaS (formerly LXC) and Liferay PaaS (formerly LXC-SM).

Behavior

A potential vulnerability was recently identified for Liferay PaaS powered applications.  Liferay PaaS customers can encounter a behavior that appears like a redirection vulnerability (Host Header Attack) when handling URLs that contain encoded period characters (%2e) as part of the URL path.

For example, when using the curl command with encoded URLs, it can be possible to pass along a different host header resulting in what appears to be a redirect to another URL. 

Simply put, while using a curl command to reach a site containing encoded a period character in the path (%2e) the request may be redirected (302) to an external site if a host header is specified. An example of such a request can be found here:

curl 'https://<Application URL>/%2e' -H 'host: malicious-site.com'

 

Analysis

Upon investigation and review our team has concluded that the behavior is not a threat to Liferay Cloud customers and in fact is quite common even among sites like https://facebook.com/, https://twitter.com/, and https://www.microsoft.com/.

The expected behavior for a request (like the one presented earlier) would be a 404 error or a return to the base url. Instead, customers are redirected to the site that is specified in the host header (-H).  During our investigation it was discovered that the redirect happens at the load balancer level and that our cloud provider handles requests and redirects before ever reaching the Liferay Cloud application layer.  This is relevant as Liferay Cloud does not control how requests are handled by the cloud provider's load balancer.  Essentially, while the redirection may be logged, no request is actually  processed for this vulnerability to be able to take place.

web-server.png

As mentioned, sites like Facebook, Twitter and Microsoft behave in the same way for requests made by curl commands.  As there are built-in safeguards against Host Header attacks within today's browsers, this attack vector is very limited.   This means browser requests process only what is seen within the provided URL, with very limited opportunity to forge the host header due to these protections.

 

https://issues.liferay.com/browse/LCSEC-722

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?