There is a bug in Internet Explorer 4.x (patched) which allows reading local files and sending them to an arbitrary server.
The problem is: if you add '%01someURL' after an 'about:somecode' URL, IE thinks that the document is loaded from the domain of 'someURL'.
This circumvents "Cross-frame security" and opens several security holes.
The filename must be known.
For more info see the source.
Written by Georgi Guninski.