Internet Explorer 4.01 allows remote malicious users to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which causes Internet Explorer to use the domain specified after the character.
source: wwwsecurityfocuscom/bid/197/info
On January 28, 1999, Georgi Guninski originally reported a vulnerability in Internet Explorer 4x Internet Explorer 4x's implentation of Cross-frame security could be bypassed if "%01" is appended to an arbitrary URL If the specially malformed URL is inserted in a javascript after an 'about:' st ...