Description:

Internet Explorer 5.0 under Windows 95 and Windows NT 4.0 (suppose Win98 is vulnerable)
allows reading local text files (the extension does not matter) and parts of binary files.
It is also possible to read text files from any domain and in some cases reading files from a web server behind a firewall.

Details:

The problem is the IE feature "download behavior".
It is possible to click on a link and a callback function to be executed.
When the callback function is executed by "startDownload" method, the downloaded file is passed as an argument to the callback function.
Microsoft has implemented some security which does not allow downloading files in this way from a different domain.
But if the link points to a file in same domain as the exploit page and a HTTP redirect is forced,
then the exploit works.
It is not necessary the user to click on the link, this may be done automatically.
This vulnerability may be exploited using HTML email message or a newsgroup posting.

The code is:
----------------------------------------------------------------------------------------
<SCRIPT>
function doit(s)
{
 alert ("Here is your file:\n"+s);
}
</SCRIPT>
<A ID="oD" STYLE="behavior:url(#default#download)" HREF="javascript:oD.startDownload('http://www.guninski.com/reject.cgi?autoexec', doit)">Click here to read C:\AUTOEXEC.BAT</A>.
----------------------------------------------------------------------------------------
("http://www.guninski.com/reject.cgi?autoexec" just does a HTTP redirect to file://c:/autoexec.bat)

Workaround:
Disable Active Scripting

Demonstration:
Click here to read C:\AUTOEXEC.BAT.