Azure App Service flaw exposes huge collection of source code repositories


A flaw in Microsoft’s Azure App Service has exposed client source code for years, security researchers have found.

According to cloud security providers, Microsoft’s platform for building and hosting web applications contains insecure default behavior in its Linux variant since 2017, and as a result, customers’ source code PHP, Node, Python, Ruby and Java has been exposed.

The company named the flaw “NotLegit” and said it was “likely exploited in the wild.” However, IIS-based applications are safe. After deploying their own vulnerable application, it only took four days for a malicious actor to attempt to access the contents of the source code folder on the exposed endpoint.

Microsoft fix

However, he cannot be sure if anyone was aware of the NotLegit flaw, or if it was just a regular scan of exposed .git files.

“Small groups of customers are still potentially at risk and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between December 7 and December 15, 2021,” Noted.

Microsoft has recognized the flaw and said it has already deployed a patch.

“MSRC has been informed by of an issue where customers may unintentionally configure the .git folder to be created in the content root, which would put them at risk of information disclosure. This, when combined with an application configured to serve static content, allows others to download files that are not intended to be public, ”Microsoft noted in an ad.

To resolve the issue, Microsoft has updated all PHP images to ban the .git folder from being broadcast as static content as a defense-in-depth measure, affected customers, as well as those who downloaded the folder, have informed. .git in the content directory, and updated its Security Guidance Document with an additional section on securing source code. Finally, he also updated the documentation for in-place deployments.

Going through BipComputer

Source link


About Author

Comments are closed.