Microsoft disclosed a vulnerability in its Azure App Service for Linux that allows downloading files that users almost certainly don’t intend to make public.
Microsoft bill If you want to “quickly and easily create enterprise-ready web and mobile applications for any platform or device and deploy them on a scalable and reliable cloud infrastructure”, Azure Application Services is exactly what you want.
Please note that the description does not mention security.
This omission is strangely prescient, because the cloud security agency Wiz investigated the service and found it describe As “the insecure default behavior in Azure App Service, it exposes the source code of client applications written in PHP, Python, Ruby or Node deployed using’local Git’.”
Wiz named the vulnerability “NotLegit” and claimed that it has existed since September 2017 and “may have been exploited in the wild.”
The core of the flaw is that when Azure App Service users upload their git repository to the service, the repository will fall in a publicly accessible directory /home/site/wwwroot content. Among these uploaded files is the .git folder, which contains source code and other confidential information. All of these are hanging on the web for everyone to see.
People are looking for. Wiz’s post stated that it created a vulnerable Azure App Service application and detected multiple attempts to access its .git folder within four days.
Microsoft has ‘Acknowledged flaws And made its point that it affects a “limited subset of customers”, which will help make things right.
Wiz has found a bad bug in Azure: it has also found Chaos database A defect that allows unauthorized read and write access to Microsoft’s Azure Cosmos DB, and Omigo A series of flaws that allow unauthorized code execution on Azure servers.
Microsoft paid Wiz a bonus of $7,500 to discover the vulnerability, which was responsibly disclosed in September, and before it was disclosed in a blog post on December 22, Microsoft had made recommendations to customers on the issue. ®
