Microsoft Customer Source Code Exposed via Azure App Service Bug

Researchers found an insecure default behavior in Azure App Service exposing source code of some customer applications deployed using Local Git.

Researchers discovered a security flaw in Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node that were deployed using Local Git.
The insecure default behavior was dubbed NotLegit by the Wiz research team, who found the bug. They say the vulnerability has existed since September 2017 and believe it has probably been exploited in the wild. Wiz reported the findings to Microsoft on Oct. 7, 2021, and it has since been mitigated, though small groups of customers are still potentially exposed, Wiz notes.
Azure App Service, otherwise known as Azure Web Apps, is a cloud-based platform for hosting Web applications and websites. There are multiple ways to deploy source code and artifacts to the Azure App Service. One of these is Local Git, through which users initiate a local Git repository in the Azure App Service container, which lets them push their code to the server.
When Local Git was used to deploy to Azure App Service, the Git repository was created within a publicly accessible directory (home/site/wwwroot) that anyone could access, researchers
explain in a blog post
. Microsoft was aware of this, so to protect files it added a web.config file to the .git folder in the public directory, and this restricted public access. However, only the Microsoft Internet Information Services (IIS) Web server handles web.config files, they note.
This meant for people using C# or ASP.NET, their applications were deployed with IIS, and Microsofts mitigation worked. But PHP, Ruby, Python, and Node are deployed with different Web servers that dont handle web.config files. This means the mitigation didnt apply, and applications were vulnerable to attackers who could retrieve files not intended to be public.
As a result, customers could unintentionally configure the .git folder to be created in content root. This put them at risk for information disclosure. This issue, combined with an application configured to serve static content, would enable attackers to download their files.
This happens because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu), the Microsoft Security Response Center wrote in a blog post.
Microsoft
released its own update today
to state the issue is limited to Azure App Service Linux customers who deployed applications using Local Git after files were created or changed in the content root directory. Applications deployed with Microsofts IIS by Azure App Service Windows customers are not affected.
Customers who deployed code to App Service Linux via Local Git after files were already created in the application were the only impacted customers, Microsoft wrote.
After it learned of the issue, Microsoft says it updated all PHP images to disallow serving the .git folder as static content. Customers affected by the issue have been notified, it noted.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Customer Source Code Exposed via Azure App Service Bug