Maxthon Browser URI about: Dialog XSS

##########################################
Maxthon Browser URI about: Dialog XSS.
Vendor URL: http://www.maxthon.com/
Advisore:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss_05.html
Vendor notify:yes exploit available:yes
##########################################

##########################
Vulnerability description
##########################

Maxthon Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss ofintegrity.

#################
Versions
################·

Maxthon Browser 1.6.4 built 20 Vulnerable

Maxthon Browser 2.0.2.2961 Not vulnerable

Aparently in changelog of this version (2.0.2.2961)
The vendor has change some parts of about dialog ,them,
this vulnerability its pached after this version; but
before, prior versions can be vulnerables too.


ChangeLog from Maxthon:
http://www.maxthon.com/changelog.htm



###################
Solution
###################

Update to version 2.0.2.2961 or latest built.



###################
Timeline
##################

Dicovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----

###################
Proof of Concept.
###################

#############
Test
#############

Put in your Maxthon Broser

about:"><script>alert(1)</script>

or create a link like

<a href='about:<a href='about:"><script>alert(1)</script>'>Maxthon Browser XSS</a>

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....