NotLegit Vulnerability Azure App Service Makes Source Code Public

Security specialist Wiz warns of a vulnerability in Microsoft’s Azure App Service. The vulnerability exposes hundreds of source code repositories. Microsoft has since patched the leak.

Wiz discovered the so-called NotLegit vulnerability in Azure App Service. The service, also known as Azure Web Apps, is a platform for hosting websites and web-based applications. Source code and artifacts can be uploaded to Azure App Service using the Local Git tool. Users can set up a Local Git repository with the Azure App Service container and push the code directly to the server.

According to the researchers, this is precisely where the vulnerability lies. When using Local Git to roll out the code to the Azure App Service, the git repository was set up with a publicly accessible directory that everyone can access.

Several code languages ​​affected

Especially source code written in PHP, Python, Ruby or Node is vulnerable. This is partly because these code languages ​​often use web servers such as Apache, Nginx and Flask. These web servers cannot handle web.config files. This allows public access to said source code repositories.

Known to Microsoft

The security specialists at Wiz already informed Microsoft of the vulnerability at the beginning of October this year. Microsoft has since closed it. In any case, the experts urge users to check whether their source code has been revealed and to take action for their applications.