Wiz said all PHP, Node, Ruby, and Python applications that were deployed using “Local Git” on a clean default application in Azure App Service since September 2017 are affected. They added that all PHP, Node, Ruby, and Python applications that were deployed in Azure App Service from September 2017 onward using any Git source — after a file was created or modified in the application container — were also affected.
Microsoft clarified in their response that the issue affects App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory. They explained that this happens “because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu).”
“The images used for PHP runtime were configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure,” Microsoft explained.
They noted that not all users of Local Git were impacted by the vulnerability and that the Azure App Service Windows was not affected.
Microsoft has notified the customers that are affected by the problem, including those that were impacted due to the activation of in-place deployment and those who had the .git folder uploaded to the content directory. The company also updated its Security Recommendations document with an additional section on securing source code. It also updated the documentation for in-place deployments.
The Wiz Research Team said on Tuesday that it first notified Microsoft of the issue on October 7 and worked with the company through the month to address it. The fix was deployed in November, and customers were notified by December. Wiz was paid a bug bounty of $7,500.
Microsoft did not say if