• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
4 year old bug in azure app service exposed hundreds of source

4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories

You are here: Home / General Cyber Security News / 4-Year-Old Bug in Azure App Service Exposed Hundreds of Source Code Repositories
December 23, 2021

A security flaw has been unearthed in Microsoft’s Azure Application Service that resulted in the publicity of supply code of shopper applications penned in Java, Node, PHP, Python, and Ruby for at minimum 4 yrs given that September 2017.

The vulnerability, codenamed “NotLegit,” was described to the tech large by Wiz scientists on Oct 7, 2021, following which mitigations have been carried out to deal with the information and facts disclosure bug in November. Microsoft stated a “constrained subset of prospects,” adding “Clients who deployed code to Application Company Linux by using Regional Git right after information ended up currently designed in the application were being the only impacted prospects.”

Automatic GitHub Backups

✔ Approved Seller From Our Partners
Mullvad VPN Discount

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).

➤ Get Mullvad VPN with 12% Discount


The Azure Application Provider (aka Azure Web Apps) is a cloud computing-based mostly system for developing and hosting web applications. It makes it possible for consumers to deploy resource code and artifacts to the company utilizing a nearby Git repository, or by using repositories hosted on GitHub and Bitbucket.

Azure App Service

The insecure default actions occurs when the Community Git approach is used to deploy to Azure App Assistance, ensuing in a scenario where the Git repository is produced inside a publicly obtainable listing (property/website/wwwroot).

Whilst Microsoft does incorporate a “web.config” file to the .git folder — which is made up of the point out and background of the repository — to limit public obtain, the configuration files are only made use of with C# or ASP.NET apps that depend on Microsoft’s very own IIS web servers, leaving out apps coded in other programming languages like PHP, Ruby, Python, or Node that are deployed with various web servers like Apache, Nginx, and Flask.

Prevent Data Breaches

“In essence, all a malicious actor had to do was to fetch the ‘/.git’ listing from the focus on application, and retrieve its supply code,” Wiz researcher Shir Tamari stated. “Destructive actors are continuously scanning the internet for exposed Git folders from which they can obtain tricks and mental home. Apart from the risk that the supply incorporates secrets and techniques like passwords and access tokens, leaked resource code is generally used for even more subtle attacks.”

“Locating vulnerabilities in program is a great deal much easier when the source code is readily available,” Tamari extra.

Found this posting attention-grabbing? Adhere to THN on Fb, Twitter  and LinkedIn to read through far more exclusive content we article.


Some sections of this short article are sourced from:
thehackernews.com

Previous Post: «researchers disclose unpatched vulnerabilities in microsoft teams software Researchers Disclose Unpatched Vulnerabilities in Microsoft Teams Software
Next Post: CISA Releases Free Scanner to Spot Log4j Exposure Cyber Security News»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Twitter Fined $150 Million for Misusing Users’ Data for Advertising Without Consent
  • Organizations Urged to Fix 41 Vulnerabilities Added to CISA’s Catalog of Exploited Flaws
  • Interpol Arrest Leader of SilverTerrier Cybercrime Gang Behind BEC Attacks
  • Lumos System Can Find Hidden Cameras and IoT Devices in Your Airbnb or Hotel Room
  • Link Found Connecting Chaos, Onyx and Yashma Ransomware
  • Zoom Patches ‘Zero-Click’ RCE Bug
  • Messages Sent Through Zoom Can Expose People to Cyber-Attack
  • Verizon Report: Ransomware, Human Error Among Top Security Risks
  • How Secrets Lurking in Source Code Lead to Major Breaches
  • Learn How Hackers Can Hijack Your Online Accounts Even Before You Create Them

Copyright © TheCyberSecurity.News, All Rights Reserved.