Skip to main content

Azure App Service flaw exposes huge collection of source code repositories

Image depicting a hand on a scanner
(Image credit: Pixabay)

A flaw in Microsoft's Azure App Service has been exposing customer source code for years, security researchers have discovered. 

According to cloud security providers Wiz.io, Microsoft’s platform for building and hosting web apps has contained insecure default behavior in its Linux variant since 2017, and as a result, PHP, Node, Python, Ruby and Java customer source code had been exposed.

The company named the flaw ‘NotLegit’, and said it was “probably exploited in the wild”. IIS-based applications are safe, though. After deploying a vulnerable app of their own, it only took Wiz.io four days to get a threat actor trying to access the contents of the source code folder on the exposed endpoint.

Microsoft fix

However, it can’t be sure if someone knew of the NotLegit flaw, or if it was just a regular scan for exposed .git folders.

"Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th - 15th of December, 2021,” Wiz.io noted.

Microsoft acknowledged the flaw, and said it already deployed a fix.

“MSRC was informed by Wiz.io, of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public,” Microsoft said in an announcement.

To solve the problem, Microsoft updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure, notified impacted customers, as well as those who had the .git folder uploaded to the content directory, and updated its Security Recommendations document with an additional section on securing source code. Finally, it updated the documentation for in-place deployments, as well.

Via BleepingComputer