Security specialist Wiz warns of a vulnerability in Microsoft’s Azure App Service. Abusing the vulnerability allows the publishing of hundreds of source code repositories. Microsoft has since closed the leak.
Wiz discovered the so-called NotLegit vulnerability in Azure App Service. The service, also known as Azure Web Apps, entails a platform for hosting websites and web-based applications. Source code and artefacts can be uploaded to Azure App Service using the Local Git tool. Users can set up a Local Git repository with the Azure App Service container and push the code directly to the server.
According to the researches, that’s precisely where the vulnerability lies. When Local Git was used for deploying the code to the Azure App Service, the git repository was set up with a publicly accessible directory.
Different languages affected
Source code written in PHP, Python, Ruby or Node is especially vulnerable. This is partly because these code languages often use web servers such as Apache, Nginx and Flask. These web servers cannot handle web.config files. This allows public access to the aforementioned source code repositories.
Known at Microsoft
Wiz security specialists notified Microsoft of the vulnerability in October of this year. Microsoft has since fixed the issue. Regardless, the experts urge users to check whether their source code was leaked and take appropriate action.