There is a security bug in Internet Explorer 5.0 which circumvents "Cross-frame security" and opens several security holes.
This is a modification of the "%01 security bug" (that was fixed in IE 5.0) I found in January.
The problem seems to be in the "Microsoft Scriptlet Component". If you add '%01someURL' after the URL you pass to "Microsoft Scriptlet Component", IE thinks that the document is loaded from the domain of 'someURL'. This page demonstrates spoofing windows.
Workaround: Disable Javascript
Go to Georgi Guninski's home page