The Azure App Service
Microsoft has addressed a security hole in its Azure App Service that has been exposing the source code of customer apps built in Java, Node, PHP and Python since September 2017. The tech giant was alerted about the vulnerability by Wiz researchers on October 7th, this year. A fix was released in November to solve the information exposure flaw.
Nicknamed “NotLegit”, the detected vulnerability has affected a restricted group of customers, according to Microsoft. The company revealed that the only users that were impacted were those that have deployed code to App Service Linux through Local Git after files had already been generated in the application.
A blog post on Wiz’s website explains that a malicious actor just needs access to the “/.git” directory of the target application in order to get the source code. Once stolen, a source code can allow an attacker to have access to tokens and passwords, but it is often exploited for more advanced attacks. For instance, software vulnerabilities are more easily discovered when the source code is accessible. For this reason, cybercriminals are constantly scanning the internet and looking for Git files that have been left open.
Details about the NotLegit flaw reveal that it occurs when deploying to Azure App Service using the Local Git method, where the Git repository is generated in a directory that is open to the public (home/site/wwwroot).
While it is possible to restrict public access to the repository by adding a “web.config” file to.git, this file is only used for C# or ASP.NET applications that use Microsoft’s own IIS web servers, and not for applications written in other programming languages such as Ruby, Python or Node that use other web servers.
The Azure App Service (also known as Azure Web Apps) is Microsoft’s cloud-based platform for creating and deploying web apps. A local Git repository or repositories hosted on GitHub and Bitbucket can be used to upload source code and other assets to the service.