A security flaw found in Azure App Service, a Microsoft-managed platform for building and hosting web applications, has led to the exposure of PHP, Node, Python, Ruby, or Java client source code for at at least four years, since 2017.
Only Azure App Service Linux customers were affected by the issue discovered and reported by researchers at cloud security provider Wiz.io, as IIS-based applications deployed by Azure App Service Windows customers were not affected.
“The vulnerability, which we have dubbed ‘NotLegit’, has been around since September 2017 and has probably been exploited in the wild”, Wiz.io added.
“Small groups of customers are still potentially at risk and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between December 7 and December 15, 2021.”
The researchers tested their theory that the insecure default behavior in Azure App Service Linux was likely exploited in the wild by deploying their own vulnerable application.
In just four days, they saw the first attempts by malicious actors to access the contents of the exposed source code file.
While this could indicate that attackers are already aware of the NotLegit flaw and are specifically trying to find the source code of exposed Azure App Service applications, these scans could also be explained as normal scans for exposed .git folders.
As BleepingComputer previously reported, attackers gained access to files belonging to leading organizations after finding .git public folders, including several Indian government and United Nations Environment Program sites ( UNEP).
Affected Azure App Service apps include all PHP, Node, Python, Ruby, and Java apps coded to serve static content if:
- deployed using Local Git on a clean default app in Azure App Service from 2013
- deployed to Azure App Service since 2013 using any Git source, after a file has been created or edited in the app container
Defect mitigated, exposed customers notified
“MSRC has been informed by Wiz.io [..] an issue where customers may unintentionally configure the .git folder to be created in the content root, which would put them at risk of information disclosure, ”Microsoft noted today.
“This, when combined with an application configured to serve static content, allows others to download files that are not intended to be public. “
The Azure App Service team and MSRC have already applied a patch designed to cover the most affected customers and alerted all customers still at risk after enabling in-place deployment or uploading the .git folder to the content directory.
Microsoft mitigated the flaw by updating PHP images to disallow the .git folder from serving as static content.