Microsoft Notifies Customers of Azure Bug That Exposed Their Source Code (therecord.media) 9
Microsoft has notified earlier this month a select group of Azure customers impacted by a recently discovered bug that exposed the source code of their Azure web apps since at least September 2017. The vulnerability was discovered by cloud security firm Wiz and reported to Microsoft in September. The issue was fixed in November, and Microsoft has spent the last few weeks investigating how many customers were impacted. The Record reports: The issue, nicknamed NotLegit, resides in Azure App Service, a feature of the Azure cloud that allows customers to deploy websites and web apps from a source code repository. Wiz researchers said that in situations where Azure customers selected the "Local Git" option to deploy their websites from a Git repository hosted on the same Azure server, the source code was also exposed online.
All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems. Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today. [...] The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.
All PHP, Node, Ruby, and Python applications deployed via this method were impacted, Microsoft said in a blog post today. Only apps deployed on Linux-based Azure servers were impacted, but not those hosted on Windows Server systems. Apps deployed as far back as 2013 were impacted, although the exposure began in September 2017, when the vulnerability was introduced in Azure's systems, the Wiz team said in a report today. [...] The most dangerous exposure scenarios are situations where the exposed source code contained a .git configuration file that, itself, contained passwords and access tokens for other customer systems, such as databases and APIs.
prod servers accessing repositories (Score:3)
Prod servers accessing repositories seem to me like a ill scheme to use and I've always rejected any tool that does that. Just package your application and deploy it to prod with sftp. You even lose more points if your prod server has write permissions on the repository :)
Same for prod servers accessing backup servers, get prod hacked and your backups encrypted. Backup servers should pull from prod servers.
Re: (Score:2)
IMHO backup servers should give their 'client' servers C-only access (create). Not the whole CRUD package.
The 'selected group' is what is most concerning (Score:2)
about Microsoft's approach here.
So I guess the gates are still wide open for customers deemed of less importance.
Re: (Score:2)
Given that many of the people programming he serverside things of web apps seem..hmm.. lets say "less than competent", having looked at quite many such, it would likely be helpful for eventual hackers to be able to easily read the code.
So what? (Score:2)
Unless you've hardcoded security settings/passwords etc. in the code, you shouldn't have anything to worry about.