That is a security issue, someone can pass in a return_url to a different site.
So you need to debug your configuration.
What version of OpenACS are you using? It should work with port 8000/8443.
The code is in security::locations in acs-tcl/tcl/security-procs.tcl.
This procedure checks the http port configured for nssock and nsopenssl and should correctly figure out the urls from there.