A cloud security vendor, Wiz.io discovered a four years old bug in the Microsoft Azure App Service that exposed the source code of customer applications written in PHP, Python, Ruby, or Node, that were deployed using “Local Git”.
The vulnerability, dubbed as “NotLegit”, has existed since September 2017 and has probably been exploited in the wild. The issue resides in the Azure App Service, when users use the “Local Git” deployment method to deploy to the Azure App Service, the .git folder gets created in the content root, which puts their data and source code at risk for information disclosure.
This behavior of Azure App Service via Local Git was known to Microsoft and the company added a “web.config” file to the .git folder within the public directory that restricted public access. However, only Microsoft's IIS web server handles "web.config" files.
What is Local Git?
Azure supports multiple methods to deploy source code and artifacts to the Azure App Service, one of which is using “Local Git”. With “Local Git”, users initiate a local Git repository within the Azure App Service container that enables developers to push their code straight to the server.
What is NotLegit Bug?
As mentioned above, all applications that use C# or ASP.NET were deployed in the IIS server, and in the IIS server, Microsoft adds the “web.config” file to the .git folder within the public directory that restricted public access. But when users deploy the applications developed in PHP, Ruby, Python, or Node via the Local Git method are deployed with different webservers (Apache, Nginx, Flask, etc), and these web servers do not handle "web.config" files, leaving them completely vulnerable.
Who's affected with NotLegit Bug?
According to Microsoft all PHP, Node, Ruby, and Python applications deployed via this method were impacted.
- All PHP, Node, Ruby, and Python applications that were deployed using "Local Git” on a clean default application in Azure App Service since 2013
- All PHP, Node, Ruby, and Python applications that were deployed in Azure App Service from 2013 onward using any Git source, after a file was created or modified in the application container.
- App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory are impacted.
- PHP, Node, Python, Ruby, and Java applications coded to serve static content:
- PHP: The images used for PHP runtime were configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to disallow serving the .git folder as static content as a defense-in-depth measure.
- Node, Python, Java, and Ruby: For these languages since the application code controls whether it serves static content, we recommend customers review the code to make sure that only the relevant code is served out.
Exploited In-Wild
- Users who deployed code via FTP or Web Deploy or Bash/SSH resulted in files getting initialized in the web app before any git deployment.
- Users who enabled LocalGit on the web app
- Users who subsequent Git clone/push sequence to publish updates