1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Azure App Service flaw exposes huge collection of source code rep

    From TechnologyDaily@1337:1/100 to All on Thu Dec 23 12:15:04 2021
    Azure App Service flaw exposes huge collection of source code repositories

    Date:
    Thu, 23 Dec 2021 11:56:07 +0000

    Description:
    Microsoft has deployed a fix and notified affected users, so patch now.

    FULL STORY ======================================================================

    A flaw in Microsoft's Azure App Service has been exposing customer source
    code for years, security researchers have discovered.

    According to cloud security providers Wiz.io, Microsofts platform for
    building and hosting web apps has contained insecure default behavior in its Linux variant since 2017, and as a result, PHP, Node, Python, Ruby and Java customer source code had been exposed.

    The company named the flaw NotLegit, and said it was probably exploited in
    the wild. IIS-based applications are safe, though. After deploying a vulnerable app of their own, it only took Wiz.io four days to get a threat actor trying to access the contents of the source code folder on the exposed endpoint . Microsoft fix

    However, it cant be sure if someone knew of the NotLegit flaw, or if it was just a regular scan for exposed .git folders.

    "Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th - 15th of December, 2021,
    Wiz.io noted .

    Microsoft acknowledged the flaw, and said it already deployed a fix.

    MSRC was informed by Wiz.io, of an issue where customers can unintentionally configure the .git folder to be created in the content root, which would put them at risk for information disclosure. This, when combined with an application configured to serve static content, makes it possible for others to download files not intended to be public, Microsoft said in an announcement.

    To solve the problem, Microsoft updated all PHP images to disallow serving
    the .git folder as static content as a defense in depth measure, notified impacted customers, as well as those who had the .git folder uploaded to the content directory, and updated its Security Recommendations document with an additional section on securing source code. Finally, it updated the documentation for in-place deployments, as well. You might want to check out our list of the best firewalls right now

    Via BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/azure-app-service-flaw-exposes-hundreds-of-sour ce-code-repositories/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)