A vulnerability in Microsoft Azure App Service has been found to expose hundreds of source code repositories. Dubbed “NotLegit,” involves insecure default behavior in the Azure App Service. The vulnerability, exposed the source code of customer applications written in PHP, Python, Ruby or Node that were deployed using Local Git.
Azure App Service, also known as Azure Web Apps, is a cloud computing-based platform for hosting websites and web applications. There are multiple ways to deploy source code and artifacts to the Azure App Service. With Local Git, a customer initiates a local Git repository with the Azure App Service container and pushes the code straight to the server.
The use of Local Git is where the issue arises. Where the Local Git deployment method was used to deploy to the Azure App Service, the git repository was created within a publicly accessible directly that anyone could access.
Described by the researchers as being a quirk unique to Microsoft, to protect files, a web.config file was added to the git folder within the public directory to restrict public access. Microsoft’s IIS web server handles web.config files which works fine with C# and ASP.NET deployed with IIS, but not with different web servers.
With PHP, Ruby, Python and Node, deployments typically use webservers such as Apache, Nginx and Flask, which do not handle web.config files. As such, no protection was provided and the source code was exposed to all and sundry.
The issue was mitigated now. Even now small groups of customers could still be potentially exposed and should take certain actions to protect their applications. Those impacted were emailed notifications by Microsoft based on their configuration.