Microsoft fixes NotLegit: exposed the source code of apps written in PHP and Python in Azure App Service for Linux


The Wiz research team discovered a security issue in Azure App Service. This exposed the source code of client applications written in PHP, Python, Ruby or Node, which were deployed using “Local Git”, as publicly announced three days ago. The vulnerability, dubbed “NotLegit,” has been in existence since September 2017 and has likely been exploited, according to researchers at Wiz, which reported this problem to Microsoft in October this year.

Wiz said that all PHP, Node, Ruby and Python applications that were deployed using “Local Git” in a clean app by default in Azure App Service from September 2017 are affected. Also, those that were deployed to Azure App Service since September 2017 using any Git source, after a file was created or modified in the application container, are too.

"Microsoft is the best host in the world for malware"According to a former employee in his security department


Only Linux has been affected, according to Microsoft

azure app services linux

The Microsoft Security Response Center has posted on its blog how it responded to the “NotLegit” bug in Azure. According to Redmond’s, this has only affected App Service clients on Linux. They explained that this happens “because the system tries to preserve the currently deployed files as part of the repository content, and triggers what is known as deployments in place by the deployment engine (Kudu).”

“Not all Local Git users were affected. Clients who deployed the code in App Service Linux via Local Git after the files were generated in the application they were the only affected customers “, they say from Microsoft. Azure App Service on Windows has not been affected, since it runs in an environment based on IIS.

Wiz CTO Ami Luttwak is a former manager of Microsoft’s cloud security group and This is not the first time this company has discovered bugs in Redmond’s software..

In August, this company discovered a vulnerability that allowed them to access a large amount of data from Microsoft’s Azure cloud services customers, specifically through the Cosmos database. The company was able to access their databases and upon discovery they had the ability not only to view the content, but also also to change and delete information from your Microsoft Azure Cosmos database.

Microsoft’s answer to fix vulnerabilities


Microsoft has said that the images used for the PHP runtime were configured to serve all static content in the root folder of the content. After learning about this issue, ** Microsoft has updated all PHP images to not serve the .git folder as static content ** as a defense measure.

For its part, for Node, Python, Java and Ruby, “since the application code controls whether it serves static content,” the company recommends that customers review the code to make sure only the relevant code is served.

Microsoft claims that it has notified affected customers on how to mitigate the issue. Customers were also informed that they had the .git folder loaded in the content directory. The firm has updated its security recommendations document with an additional section on source code security.


Please enter your comment!
Please enter your name here