source: http://www.securityfocus.com/bid/197/info On January 28, 1999, Georgi Guninski originally reported a vulnerability in Internet Explorer 4.x. Internet Explorer 4.x's implentation of Cross-frame security could be bypassed if "%01" is appended to an arbitrary URL. If the specially malformed URL is inserted in a javascript after an 'about:' statement, arbitrary code can be executed on the target host. Successful exploitation could lead to access to local files, window spoofing, and arbitrary code execution. On October 6, 2000, Alp Sinan discovered that a variation of this vulnerability exists in Microsoft Internet Explorer 5.5. Instead of using "%01", the ASCII equivalents of "^A" or "" can be used instead. Georgi Guninski <[email protected]> has set up the following demonstration pages: Exploit through HTML mail message: http://www.guninski.com/scriptlet.html http://www.guninski.com/scrspoof.html Exploit through TDC: http://www.guninski.com/scrauto.html Alp Sinan <[email protected]> has set up the following demonstration pages: Reading of local files: http://horoznet.com/AlpSinan/localread.htm Window spoofing: http://horoznet.com/AlpSinan/webspoof.htm Cross-frame security circumvention http://horoznet.com/AlpSinan/crossframe.htm