source: https://www.securityfocus.com/bid/197/info
On January 28, 1999, Georgi Guninski originally reported a vulnerability in Internet Explorer 4.x. Internet Explorer 4.x's implentation of Cross-frame security could be bypassed if "%01" is appended to an arbitrary URL. If the specially malformed URL is inserted in a javascript after an 'about:' statement, arbitrary code can be executed on the target host. Successful exploitation could lead to access to local files, window spoofing, and arbitrary code execution.
On October 6, 2000, Alp Sinan discovered that a variation of this vulnerability exists in Microsoft Internet Explorer 5.5. Instead of using "%01", the ASCII equivalents of "^A" or "" can be used instead.
Georgi Guninski <guninski@guninski.com> has set up the following demonstration pages:
Exploit through HTML mail message:
http://www.guninski.com/scriptlet.html
http://www.guninski.com/scrspoof.html
Exploit through TDC:
http://www.guninski.com/scrauto.html
Alp Sinan <alp@uk2.net> has set up the following demonstration pages:
Reading of local files:
http://horoznet.com/AlpSinan/localread.htm
Window spoofing:
http://horoznet.com/AlpSinan/webspoof.htm
Cross-frame security circumvention
http://horoznet.com/AlpSinan/crossframe.htm