4-Year-Old Microsoft Azure Zero-Day Exposes Web App Source Code

The security vulnerability could expose passwords and access tokens, along with blueprints for internal infrastructure and finding software vulnerabilities.

The Microsoft Azure App Service has a four-year-old vulnerability that could reveal the source code of web apps written in PHP, Python, Ruby or Node, researchers said, that were deployed using Local Git.

The bug has almost certainly been exploited in the wild as a zero-day, according to an analysis from Wiz. The firm dubbed the vulnerability “NotLegit,” and said it has existed since September 2017.

The Azure App Service (aka Azure Web Apps) is a cloud computing-based platform for hosting websites and web applications. Local Git meanwhile allows developers to initiate a local Git repository within the Azure App Service container in order to deploy code straight to the server. After deployment, the application is accessible for anyone on the internet under the *.azurewebsites.net domain.

The issue arises because when using Local Git, the Git folder is also uploaded and publicly accessible on unpatched systems; it’s placed in the “/home/site/wwwroot” directory, which anyone could access.

This has serious ramifications from a security perspective, according to the firm.

“Besides the possibility that the source contains secrets like

Read More: https://threatpost.com/microsoft-azure-zero-day-source-code/177270/