Posted on Leave a comment

A 4-Year-Old Azure App Service Bug Leaked Hundreds of Source Code Folders.

Wiz researchers reported the vulnerability to the tech giant on October 7, 2021 which leads to leakage of source codes. Luckily Microsoft has released the mitigations to fix the information disclosure bug in November.

Microsoft stated that only a “limited subset of customers” are at risk, adding that “customers who deployed code to App Service Linux through Local Git after files had already been created in the application were the only impacted customers.

Since September 2017, a security flaw in Microsoft’s Azure App Service has exposed the source code of customer applications written in Java, Node, PHP, Python, and Ruby for at least four years.

The Azure App Service (also known as Azure Web Apps) is a cloud-based platform for developing and hosting web applications. It enables users to deploy source code and artefacts to the service via a local Git repository or via GitHub and Bitbucket folders.

The.git folder can be found in the content folder in the following circumstances:

Local Git was used to deploy application code after files were created or modified in the content root outside of Git.
SCM REPOSITORY PATH must be explicitly configured to enable in-place deployments. This is a sophisticated user operation.
When the.git folder is included with the application code during non-GIT App Service deployments.

Microsoft took the following steps after this issue was brought to our attention:

  1. We updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure.
  2. Notified customers who were impacted due to the activation of in-place deployment with specific guidance on how to mitigate the issue. We also notified customers who had the .git folder uploaded to the content directory.
  3. Updated our Security Recommendations document with an additional section on securing source code. We also updated the documentation for in-place deployments.

Finally Wiz researcher Shir Tamari concluded that ,” Malicious actors are constantly searching the internet for vulnerable Git folders from which to steal secrets and intellectual property. Aside from the possibility that the source code contains secrets such as passwords and access tokens, leaked source code is frequently used in more sophisticated attacks.”

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply