Azure App Service flaw exposes huge collection of source code repositories

By Scott Marlette Last updated Dec 23, 2021

A flaw in Microsoft’s Azure App Service has been exposing customer source code for years, security researchers have discovered.

According to cloud security providers Wiz.io, Microsoft’s platform for building and hosting web apps has contained insecure default behavior in its Linux variant since 2017, and as a result, PHP, Node, Python, Ruby and Java customer source code had been exposed.

The company named the flaw ‘NotLegit’, and said it was “probably exploited in the wild”. IIS-based applications are safe, though. After deploying a vulnerable app of their own, it only took Wiz.io four days to get a threat actor trying to access the contents of the source code folder on the exposed endpoint.

Microsoft fix

However, it can’t be sure if someone knew of the NotLegit flaw, or if it was just a regular scan for exposed .git folders.

“Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th – 15th of December, 2021,” Wiz.io noted.

Microsoft acknowledged the flaw, and said it already deployed a fix.

“MSRC was informed by Wiz.io, of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public,” Microsoft said in an announcement.

To solve the problem, Microsoft updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure, notified impacted customers, as well as those who had the .git folder uploaded to the content directory, and updated its Security Recommendations document with an additional section on securing source code. Finally, it updated the documentation for in-place deployments, as well.

Via BleepingComputer

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.