A vulnerability was discovered in Microsoft’s Azure App Service that resulted in the source code of customer applications written in Java, Node, PHP, Python and Ruby being exposed for at least four years since September 2017.
The vulnerability with the code name “Not Legit“Was reported to the tech giant by Wiz researchers on October 7, 2021, prompting action to be taken to correct the information disclosure bug in November said a “limited subset of customers” was at risk, adding, “Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only customers affected.”
the Azure App Service (also known as Azure Web Apps) is a cloud computing-based platform for building and hosting web applications. It enables users to deploy source code and artifacts for the service using a local Git Repository or through repositories hosted on GitHub and Bitbucket.
The default insecure behavior occurs when using the local Git method to deploy to Azure App Service, resulting in a scenario where the Git repository is created in a publicly accessible directory (home / site / wwwroot).
While Microsoft is adding a “web.config” file to the .git folder – contains the status and history of the repository – to restrict public access, the configuration files are only used with C # or ASP.NET applications based on Microsoft’s own IIS web servers, omitting apps written in other programming languages such as PHP, Ruby coded, Python or Node which are provided with different web servers like Apache, Nginx and Flask.
“Basically, a malicious actor just had to get the ‘/.git’ directory from the target application and retrieve its source code,” said Wiz researcher Shir Tamari. “Malicious actors continuously search the internet for exposed Git folders from which they can collect secrets and intellectual property. In addition to the possibility that the source contains secrets such as passwords and access tokens, leaked source code is often used for other sophisticated attacks. “
“Finding vulnerabilities in software is much easier when the source code is available,” added Tamari.