www.itnews.com.au Open in urlscan Pro
203.176.102.69  Public Scan

Form analysis
1 forms found in the DOM

POST /news/microsoft-patches-azure-api-service-against-three-vulnerabilities-594099?eid=65&edate=20230509&utm_source=20230509&utm_medium=newsletter&utm_campaign=sc_weekly

<form id="frm-login" action="/news/microsoft-patches-azure-api-service-against-three-vulnerabilities-594099?eid=65&amp;edate=20230509&amp;utm_source=20230509&amp;utm_medium=newsletter&amp;utm_campaign=sc_weekly" method="post">
  <h3 class="section-header"><span>Log In</span></h3>
  <div id="login-form-register"><a href="/register">Don't have an account? Register now!</a></div>
  <div id="login-validation"></div>
  <div id="login-response"></div>
  <div class="form-label email-login">Email:</div>
  <div class="form-input"><input id="username" name="username" type="text" required=""></div>
  <div class="form-label password-login">Password:</div>
  <div class="form-input"><input id="password" name="password" type="password" required=""></div>
  <div class="row form-checkbox">
    <input id="rememberMe" name="rememberMe" type="checkbox"><label for="rememberMe">Remember me</label><span>&nbsp; | &nbsp;<a href="/forgot" title="Forgot your password?">Forgot your password?</a></span>
  </div>
</form>

Text Content

Latest News


UK CITIZEN EXTRADITED TO US PLEADS GUILTY TO 2020 TWITTER HACK


MICROSOFT'S PATCHES INCLUDE OUTLOOK PREVIEW PANE VULNERABILITY


TECHNOLOGYONE INVESTIGATES 'CYBER INCIDENT' ON M365 SYSTEM


LATITUDE FINANCIAL FACES FIRST-EVER JOINT A/NZ PRIVACY INVESTIGATION


DIGITAL SHARE TRADING POWERS AUSTRALIAN INVESTORS

 * Australia Edition

 * Asia Edition



LOG IN SUBSCRIBE  
Search
BUSINESS CLOUD DATA CENTRE
EDUCATION FINANCE HARDWARE
HEALTHCARE INDUSTRIAL NETWORKING
PROJECTS SOFTWARE STORAGE
STRATEGY TECHNOLOGY TELCO/ISP
State of Sustainability State of Security State of IT
Focal Points MEDIA HUB PARTNER CONTENT PARTNER HUBS RESEARCH
 * NEWS
 * GOVERNMENT
 * SECURITY
 * REPORTS
 * RESOURCES
 * PODCAST
 * BENCHMARKS

NEWS

BUSINESS CLOUD DATA CENTRE EDUCATION FINANCE HARDWARE HEALTHCARE INDUSTRIAL
NETWORKING PROJECTS SOFTWARE STORAGE STRATEGY TECHNOLOGY TELCO/ISP
GOVERNMENT SECURITY REPORTS

State of Sustainability State of Security State of IT
RESOURCES

Focal Points MEDIA HUB PARTNER CONTENT PARTNER HUBS RESEARCH
PODCAST BENCHMARKS
Australia Edition

Asia Edition



LOG IN

Email:

Password:

Remember me |  Forgot password?



Don't have an account? Register now!
 * Home
 * News
 * Technology
 * Security


MICROSOFT PATCHES AZURE API SERVICE AGAINST THREE VULNERABILITIES

By Richard Chirgwin on May 8, 2023 11:21AM


RESEARCHERS FOUND REQUEST FORGERY, FILE UPLOAD BUGS.

Security researchers have disclosed three now-patched vulnerabilities they
discovered in Microsoft’s Azure API Management service.

The service acts as a publishing hub for a company’s APIs, and provides a
platform to create, manage, secure and analyse APIs.

Ermetic researchers said they found two server-side request forgery (SSRF) bugs,
and an arbitrary file upload bug. 



Exploiting the SSRF vulnerabilities could result in denial-of-service, web
application firewall bypass, and access to internal Azure assets, they said.

The file upload vulnerability would let an attacker upload files to Azure’s
“hosted internal workload” and to “self-hosted developer portals”.



One of the SSRFs involved the service’s Cross-Origin Resource Sharing (CORS)
proxy.

A bug reported by another company was fixed in November 2022, and Ermetic’s bug
bypassed that fix. It was reported in December 2022 and patched in January 2023.

By manipulating the requested URL, the researchers “managed to get a full SSRF
with a reflected response on the CORS Proxy of the Azure API Management
service."

“This enabled us to send the SSRF with a chosen HTTP verb/method”, they added,
yielding access to Azure internal services.

The other SSRF was in the Azure API Management hosting proxy: the researchers
found that policy management in the system gave them internal Azure resources.



The file upload bug they discovered was an unrestricted file upload path
traversal in the API Management developer portal, Ermetic said.

"Our finding affects not only Azure itself but also end-users who have deployed
the developer portal themselves," the researchers said.

“We found that Azure does not validate the file type and path of the files
uploaded.

"Authenticated users can traverse the path specified when uploading the files,
upload malicious files to the developer portal server and possibly execute code
on it using DLL hijacking, iisnode config swapping or any other relevant attack
vector.”

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © iTnews.com.au . All rights reserved.
Tags:
azurecloudmicrosoftsecuritysoftwarevulnerability



PARTNER CONTENT


Partner Content Enterprises shift to ‘digital ecosystems’ in a hyper-connected
world

Partner Content Promoted Content Focus business teams on delivering value while
reducing incidents with Software-as-a-Service (SaaS) application monitoring

Partner Content How to build trust in government through citizen engagement

Partner Content Partnering for seamless data centre connectivity


SPONSORED WHITEPAPERS


Creating the Sustainable IT Department

Modernize and innovate in a Multicloud operating model

The Future Belongs to the Innovators

Manufacturers’ Perspectives on Modernizing with Edge Computing and 5G eBook

State of Email Security Report 2023


EVENTS

 * OpenText Summit 2023 | Content Manager Forum
 * IoT Impact Conference
 * IoT Awards 2022

By Richard Chirgwin
May 8 2023
11:21AM
0 Comments





RELATED ARTICLES

 * UK citizen extradited to US pleads guilty to 2020 Twitter hack
 * Microsoft's patches include Outlook preview pane vulnerability
 * TechnologyOne investigates 'cyber incident' on M365 system
 * TechnologyOne investigates 'cyber incident' on M365 system





MOST READ ARTICLES


CHROME TO DROP LOCK ICON SHOWING HTTPS STATUS


AUSTRALIA TO REINSTATE STANDALONE PRIVACY COMMISSIONER


NSW DIGITAL ID IS BEING TESTED BY 36 PEOPLE


GOOGLE, APPLE WORKING TOGETHER TO FIGHT UNWANTED TRACKING


Please enable JavaScript to view the comments powered by Disqus.


DIGITAL NATION


Meta threatens to take news off its platform in the US. Yep, we're here again

Cover Story: The business of gaming will reshape marketing, technology

Case Study: How HCF reengaged its customers through data and analytics

Case study: Transurban uses automation to detect road incidents

Case study: How La Trobe University sets its data students up for success

Sponsored Links
 * Rittal All-in-one Micro Data Centre Solutions for all on-premise applications
   – Rack, Power, Cooling, Security & Monitoring.


MOST POPULAR TECH STORIES

 *  
   
   
   COVER STORY: THE BUSINESS OF GAMING WILL RESHAPE MARKETING, TECHNOLOGY
   
   
   TRUST AND ETHICS DROP NATIONALLY: GOVERNANCE INSTITUTE OF AUSTRALIA
   
   
   CASE STUDY: HOW HCF REENGAGED ITS CUSTOMERS THROUGH DATA AND ANALYTICS
   
   
   DIGITAL ADVERTISING ADDS $94B TO GDP: IAB AUSTRALIA
   
   
   STATE OF SECURITY 2022

 *  
   
   
   PHOTOS: SEE WHO WAS AT CRN CHANNEL MEETS SECURITY IN SYDNEY
   
   
   TELSTRA INTERNATIONAL APPOINTS NEW CHIEF EXECUTIVE
   
   
   MICROSOFT OFFERING TO CHARGE FOR TEAMS
   
   
   RED HAT AWARDS ANZ PARTNERS
   
   
   BARHEAD NAMED MICROSOFT DYNAMICS 365 LEADER BY ISG

 *  
   
   
   RIGHT TO REPAIR: LARGE SCALE IT BUYERS CAN INFLUENCE PRODUCT DESIGN... AND
   THEY SHOULD
   
   
   SHIVERING IN SUMMER? SWEATING IN WINTER? YOUR BUILDING IS LIVING A LIE
   
   
   BUILDING A MODERN WORKPLACE FOR A REMOTE WORKFORCE
   
   
   VENOM BLACKBOOK ZERO 15 PHANTOM
   
   
   HOW LONG WILL A UPS KEEP YOUR COMPUTERS ON IF THE LIGHTS GO OUT?

 *  
   
   
   WHEN MINUTES SAVE LIVES: IOT DELIVERS EARLIER FLOOD WARNINGS
   
   
   ANNOUNCING THE 2022-23 IOT AWARDS FINALISTS
   
   
   SAMSUNG, WHIRLPOOL BANK ON SMART FRIDGE RENAISSANCE
   
   
   A SELF-MANAGING SMART BIN FOR EWASTE
   
   
   HOW SYDNEY OLYMPIC PARK IS SETTING THE PACE ON DIGITAL TRANSPARENCY

Contact Us About Us Feedback Advertise Newsletter Archive Site Map RSS
  © 2023 nextmedia Pty Ltd.
OTHER TECH SITES: BIT  |  CRN Australia  |  Digital Nation  |  IoT Hub
All rights reserved. This material may not be published, broadcast, rewritten or
redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy
and Terms & Conditions.
Powered By
Ad will close in 11s




Accept
By using our site you accept that we use and share cookies and similar
technologies to perform analytics and provide content and ads tailored to your
interests. By continuing to use our site, you consent to this. Please see our
Cookie Policy for more information.





 Close


LOG IN

Don't have an account? Register now!


Email:

Password:

Remember me  |  Forgot your password?
Log InCancel