Researchers discovered a security vulnerability in Azure App Service that exposed the source code of client applications written in PHP, Python, Ruby, or Node that were deployed using “Local Git”.
The default insecure behavior was dubbed “NotLegit” by the Wiz research team, who found the bug. They say the vulnerability has been around since September 2017 and believe it has likely been exploited in the wild. Wiz reported the results to Microsoft on October 7, 2021, and this has since been mitigated, although small groups of customers are still potentially at risk, Wiz notes.
Azure App Service, also known as Azure Web Apps, is a cloud-based platform for hosting web applications and websites. There are several ways to deploy source code and artifacts to Azure App Service. One of them is Local Git, through which users launch a local Git repository in the Azure App Service container, which allows them to push their code to the server.
When Local Git was used to deploy to Azure App Service, the Git repository was created in a publicly accessible directory (home / site / wwwroot) that anyone could access, the researchers explain in a blog post. Microsoft was aware of this, so to protect the files it added a “web.config” file to the .git folder in the public directory, and it restricted public access. However, only the Microsoft Internet Information Services (IIS) web server manages the “web.config” files, they note.
This meant that for people using C # or ASP.NET, their applications were deployed with IIS, and Microsoft’s mitigation worked. But PHP, Ruby, Python, and Node are deployed with different web servers that don’t support “web.config” files. This means that mitigation did not apply and applications were vulnerable to attackers who could retrieve files not intended to be public.
As a result, customers might unintentionally configure the .git folder to be created in the content root. This puts them at risk of information disclosure. This issue, combined with an application configured to serve static content, would allow attackers to download their files.
“This happens because the system tries to preserve files currently deployed as part of the repository content and enables what are known as Deployment Engine In-Place (Kudu) deployments,” wrote the Microsoft Security Response Center. in a blog post.
Microsoft released its own update today to indicate that the issue is limited to Azure App Service Linux customers who have deployed apps using Local Git after creating or modifying files in the content root directory . Applications deployed with Microsoft IIS by Azure App Service Windows customers are not affected.
“Customers who deployed code to App Service Linux through Local Git after creating files in the app were the only customers affected,” Microsoft wrote.
After learning of the issue, Microsoft said it updated all PHP images to disallow the .git folder from serving as static content. Customers affected by the issue have been notified, he noted.