Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Bug Microsoft

Microsoft Notifies Customers of Azure Bug That Exposed Their Source Code (therecord.media) 9

Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017. The vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September. The issue was fixed in November, and Microsoft has spent the last few weeks investigating how many customers were impacted. The Record reports: The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository. Wiz researchers said that in situations where Azure customers selected the "Local Git" option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online.

All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems. Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today. [...] The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.

This discussion has been archived. No new comments can be posted.

Microsoft Notifies Customers of Azure Bug That Exposed Their Source Code

Comments Filter:
  • by ls671 ( 1122017 ) on Wednesday December 22, 2021 @06:09PM (#62107449) Homepage

    Prod servers accessing repositories seem to me like a ill scheme to use and I've always rejected any tool that does that. Just package your application and deploy it to prod with sftp. You even lose more points if your prod server has write permissions on the repository :)

    Same for prod servers accessing backup servers, get prod hacked and your backups encrypted. Backup servers should pull from prod servers.

    • by Xenna ( 37238 )

      IMHO backup servers should give their 'client' servers C-only access (create). Not the whole CRUD package.

  • about Microsoft's approach here.
    So I guess the gates are still wide open for customers deemed of less importance.

  • Unless you've hardcoded security settings/passwords etc. in the code, you shouldn't have anything to worry about.

"The only way for a reporter to look at a politician is down." -- H.L. Mencken

Working...