A flaw in Microsoft's Azure App Service has exposed customer source code for years, security researchers have discovered.
According to cloud security providers Wiz.io, Microsoft's platform for building and hosting web applications contains insecure default behavior in its variant of Linux since 2017, and as a result, the source code of the PHP client, Node, has been exposed. , Python, Ruby and Java.
The company named the flaw "NotLegit" and said it was "likely exploited in the wild." However, IIS-based applications are safe. After deploying its own vulnerable app, Wiz.io only took four days for a malicious actor to attempt to access the contents of the source code folder on the exposed endpoint.
Microsoft fix
However, you can't be sure if anyone was aware of the NotLegit flaw, or if it was just a regular scan of exposed .git files.
"Small groups of customers are still potentially at risk and need to take certain user actions to protect their apps, as detailed in multiple email alerts Microsoft issued between December 7-15, 2021," Wiz noted. Io.
Microsoft has acknowledged the flaw and said it has already implemented a patch.
“Wiz.io has informed MSRC of an issue where customers may inadvertently configure the .git folder to be created at the root of the content, putting them at risk of information disclosure. This, when combined with an application configured to offer static content, allows others to download files that are not intended to be public, ”Microsoft said in an announcement.
To resolve the issue, Microsoft has updated all PHP images to prohibit streaming of the .git folder as static content as a defense-in-depth measure, affected customers as well as those who downloaded the folder have reported .git in the content directory and updated its Security Guidance Document with an additional section on protecting source code. Lastly, it also updated the documentation for in-place deployments.
Via BleepingComputer